Microsoft has been using Chinese engineers to assist with the maintenance of the Department of Defense’s (DoD) cloud systems, supervised by U.S. personnel known as “digital escorts.” This arrangement, which dates back decades, involved using U.S. citizen Microsoft employees with security clearances to oversee work being done on highly sensitive databases. In many cases these escorts lacked sufficient technical knowledge to provide required protections of national security.
Secretary of Defense Terminates Practice
Secretary of Defense Pete Hegseth stated that the cloud service program put the DoD at unacceptable risk. Hegseth has terminated this activity after conducting a review of the program. A letter of concern has been sent to Microsoft about this practice and a third party audit will be conducted. This audit will not be conducted using federal funding.
A separate review will be conducted by the DoD of the digital escort system and the Chinese nationals involved in the program to determine the potential impacts to national security and determine if malicious code had been introduced.
Secretary Hegseth went on to announce that all software vendors contracted by the DoD will terminate the use of Chinese nationals and put United States security interests ahead of profit maximization. He stated that this action is a common sense approach to a situation that should have never been allowed to occur.
Impact Level 4 and 5 Data at Risk
ProPublica reported that Level 4 and 5 data that falls under the classified data category was at risk. This data, if breeched could result in severe or catastrophic effects on operations, individuals, and assets. In the article, former Chief Information Officer under the Biden administration, John Sherman, stated that he should have known about this and that the situation warranted a thorough review by all stakeholders.
The Defense Information Systems Agency (DISA) commented that cloud service providers are required establish and maintain protocols for vetting personnel. Various people involved in the program at Microsoft had expressed concerns about inherent risks.
Federal Government and Industry Leaders Must Set Example
It is important, in a time when so many businesses are scrambling to meet federal requirements for cybersecurity, that government set an example by exercising basic risk prevention measures with its own data. Additionally, industry leaders such as Microsoft, who is a major provider of FedRamp storage, should be leading the way in safe cyber practices.
Hopefully, this blatant disregard for security protocols will result in improvements in cybersecurity practices and bring about increased transparency requirements for contractors and subcontractors. These requirements already are present in export regulations under the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR).
It is common knowledge that China remains a top information security threat to the United States and its allies. That Microsoft used Chinese engineers on DoD systems is an egregious affront to international security.
CVG Strategy Information Security Management System Consultants
CVG Strategy can assist your organization meet the challenges in meeting the CMMC final rule. We are dedicated to helping small businesses navigate federal regulations and contract requirements for Quality Management, Cybersecurity, Export Compliance, and Test and Evaluation. We can help you meet your information security management system goals. CVG Strategy QMS experts can provide the training required to understand and engage in a ISMS and make it meet desired objectives.
Identify CUI Areas with CVG Strategy Signs
CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.