A Microsoft Project Could Expose The Pentagon To Chinese Hackers

Latest stories

Xi: Ready to push China-Australia relationship further

China accelerates its maglev train to catch up with Japan

Hegseth's drone dominance policy needs offshore production help

Each month, the company's roughly 50-person escort team fields hundreds of interactions with Microsoft's China-based engineers and developers, inputting those workers' commands into federal networks, the employee said.

In a statement to ProPublica, Insight Global said it“evaluates the technical capabilities of each resource throughout the interview process to ensure they possess the technical skills required” for the job, and provides training. The company noted that escorts also receive additional cyber and“insider threat awareness” training as part of the government security clearance process.

“While a security clearance may be required for the role, it is but one piece of the puzzle,” the company said.

Microsoft did not respond to questions about Insight Global.

'The Path of Least Resistance”

When modern cloud technology emerged in the 2000s, offering on-demand computing power and data storage via the internet, it ushered in fundamental changes to federal government operations.

For decades, federal departments used computer servers owned and operated by the government itself to house data and power networks. Shifting to the cloud meant moving that work to massive off-site data centers managed by tech companies.

Federal officials believed that the cloud would provide greater power, efficiency and cost savings. But the transition also meant that the government would cede some control over who maintained and accessed its information to companies like Microsoft, whose employees would take over tasks previously handled by federal IT workers.

To address the risks of this revolution, the government started the Federal Risk and Authorization Management Program , known as FedRAMP, in 2011. Under the program, companies that wanted to sell their cloud services to the government had to establish how they would ensure that personnel working with sensitive federal data would have the requisite“access authorizations” and background screenings. On top of that, the Defense Department had its own cloud guidelines, requiring that people handling sensitive data be US citizens or permanent residents.

This presented an issue for Microsoft, given its reliance on a vast global workforce, with significant operations in India, China and the European Union. So the company tapped a senior program manager named Indy Crowley to put federal officials at ease. Known for his familiarity with the rules and his ability to converse in the government's acronym-heavy lingo, he was dubbed by colleagues the“FedRAMP whisperer.”

In an interview, Crowley told ProPublica that he appealed directly to FedRAMP leadership, arguing that the relative risk from Microsoft's global workforce was minimal. To make his point, he said he once grilled a FedRAMP official on the provenance of code in products supplied by other government vendors such as IBM. The official couldn't say with certainty that only US citizens had worked on the product in question, he said. The cloud, Crowley argued, should not be treated any differently.

Crowley said he also met with prospective customers across the government and he told ProPublica that the Defense Department was the“one making the most demands.” Concerned about the company's global workforce, officials there asked him who from Microsoft would be“behind the curtain” working on the cloud. Given the department's citizenship requirements, the officials raised the possibility of Microsoft“hiring a bunch of US citizens to maintain the federal cloud” directly, Crowley told ProPublica. For Microsoft, the suggestion was a nonstarter, Crowley said, because the increased labor costs of implementing it broadly would make a cloud transition prohibitively expensive for the government.

“It's always a balance between cost and level of effort and expertise,” he told ProPublica.“So you find what's good enough.” Hiring virtual escorts to supervise Microsoft's foreign workforce emerged as“the path of least resistance,” Crowley said.

Microsoft did not respond to ProPublica's questions about Crowley's account.

When he brought the concept back to Microsoft, colleagues had mixed reactions. Tom Keane, then the corporate vice president for Microsoft's cloud platform, Azure, embraced the idea, according to a former employee involved in the discussions, as it would allow the company to scale up. But that former employee, who was involved in cybersecurity strategy, told ProPublica they opposed the concept, viewing it as too risky from a security perspective. Both Keane and Crowley dismissed the concerns, said the former employee, who left the company before the escort concept was deployed.

“People who got in the way of scaling up did not stay,” the former employee told ProPublica.

Crowley said he did not recall the discussion. Keane did not respond to requests for comment.

On its march to becoming one of the world's most valuable companies, Microsoft has repeatedly prioritized corporate profit over customer security, ProPublica has found. Last year, the news organization reported that the tech giant ignored one of its own engineers when he repeatedly warned that a product flaw left the US government exposed; state-sponsored Russian hackers later exploited that weakness in one of the largest cyberattacks in history. Microsoft has defended its decision not to address the flaw, saying that it received“multiple reviews” and that the company weighs a variety of factors when making security decisions.

A skills gap from the start

The idea of an escort wasn't novel. The National Institute of Standards and Technology , which serves as the federal government's standards-setting body, had established recommendations on how IT maintenance should be performed on-site, such as in a restricted government office.“Maintenance personnel that lack appropriate security clearances or are not US citizens” must be escorted and supervised by“approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified,” the guidelines state.

The government at the time specified the intent of the recommendation: to deny“individuals who lack appropriate security clearances ... or who are not US citizens, visual and electronic access to” sensitive government information.

But escorts in the cloud wouldn't necessarily be able to meet that goal, given the gap in technical expertise between them and the Microsoft counterparts they would be taking direction from.

That imbalance, though, was baked into the escorting model.

Erickson, the former Microsoft engineer who worked on the model, told ProPublica that escorts are“somewhat technically proficient,” but mainly are“just there to make sure the employees don't accidentally or intentionally view” passwords, customer data or personally identifiable information.“If there are problems with the underlying” cloud services,“then only the people who work on those services at Microsoft would have the requisite knowledge to fix it,” he said.

Advanced threats from foreign adversaries weren't on the radar for Erickson, who said he didn't“have any reason to suspect someone more just based on their country of origin.”

“I don't think there is any extra threat from Microsoft employees based in other countries,” he said.

Pradeep Nair, a former Microsoft vice president who said he helped develop the concept from the start, said that the digital escort strategy allowed the company to“go to market faster,” positioning it to win major federal cloud contracts. He said that escorts“complete role-specific training before touching any production system” and that a variety of safeguards including audit logs, the digital trail of system activity, could alert Microsoft or the government to potential problems.

“Because these controls are stringent, residual risk is minimal,” Nair said.

But legal and cybersecurity experts say such assumptions ignored the massive cyber threat from China in particular. Around the time that Microsoft was developing its escort strategy, an attack attributed to Chinese state-sponsored hackers resulted in the largest breach of US government data up to that point. The theft initially targeted a government contractor and eventually compromised the personal information of more than 22 million people , most of them applicants for federal security clearances.

Chinese laws allow government officials there to collect data“as long as they're doing something that they've deemed legitimate,” said Jeremy Daum, senior research fellow at the Paul Tsai China Center at Yale Law School. Microsoft's China-based tech support for the US government presents an opening for espionage,“whether it be putting someone who's already an intelligence professional into one of those jobs, or going to the people who are in the jobs and pumping them for information,” Daum said.“It would be difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement.”

Erickson acknowledged that having an escort doesn't prevent foreign developers“from doing 'bad' things. It just allows for there to be a recording and a witness.” He said if an escort suspects malicious activity, they will end the session and file an incident report to investigate further.

How much of this information federal officials understood is unclear.

A Microsoft spokesperson said the company described the digital escort model in the documents submitted to the government as part of cloud vendor authorization processes. However, it declined to provide those records or to tell ProPublica the exact language it used in them to describe the escort arrangement, citing the potential security risk of publicly disclosing it.

In addition to a third-party auditor, Microsoft's documentation theoretically would have been reviewed by multiple parties in the government, including FedRAMP and DISA. DISA said the materials are“not releasable to the public.” The General Services Administration, which houses FedRAMP, did not respond to requests for comment.

The“Right Eyes” for the Job?

In June 2016, Microsoft announced that it had received FedRAMP authorization to work with some of the government's most sensitive data. Matt Goodrich, then FedRAMP director, said at the time that the accreditation was“a testament to Microsoft's ability to meet the government's rigorous security requirements.”

Around the same time, Microsoft put the escort concept into practice, engaging contacts from defense giant Lockheed Martin to hire cloud escorts, two people involved in the contract told ProPublica.

A project manager, who asked for anonymity to describe confidential discussions, told ProPublica that they were skeptical of the escort arrangement from the start and voiced those feelings to their Microsoft counterpart. The manager was especially concerned that the new hires would not have the“right eyes” for the job given the relatively low pay set by Microsoft, but the system went ahead anyway.

Lockheed Martin referred questions to Leidos, a company that took over Lockheed's IT business following a merger in 2016. Leidos declined to comment.

As Microsoft captured more of the government's business, the company turned to additional subcontractors, typically staffing companies, to hire more digital escorts.

Analyzing profiles on LinkedIn, ProPublica identified at least two such firms: Insight Global and ASM Research, whose parent company is consulting giant Accenture. While the scope of each firm's business with Microsoft is unclear, ProPublica found more workers identifying themselves as digital escorts at Insight Global, many of them former military personnel, than at ASM. ASM and Accenture did not respond to requests for comment

Concerns about china

Some Insight Global workers recognized the same problem as the former Lockheed manager: a mismatch in skills between the US-based escorts and the Microsoft engineers they are supervising. The engineers might briefly describe the job to be completed - for instance, updating a firewall, installing an update to fix a bug or reviewing logs to troubleshoot a problem. Then, with limited inspection, the escort copies and pastes the engineer's commands into the federal cloud.

“They're telling nontechnical people very technical directions,” the current Insight Global escort said, adding that the arrangement presents untold opportunities for hacking. As an example, they said the engineer could install an update allowing an outsider to access the network.

“Will that get caught? Absolutely,” the escort told ProPublica.“Will that get caught before damage is done? No idea.”

The escort was particularly concerned about the dozens of tickets a week filed by workers based in China. The attack targeting federal officials in 2023 - in which Chinese hackers stole 60,000 emails - underscored that fear.

The federal Cyber Safety Review Board, which investigated the attack, blamed Microsoft for security lapses that gave hackers their opening. Its published report did not mention digital escorts, either as playing a role in the attack or as a risk to be mitigated. Sherman, the former chief information officer for the Defense Department, and Coker, the former intelligence official, who both also served as members of the CSRB, told ProPublica that they did not recall the board ever discussing digital escorting, which they said they now consider a major threat. The Trump administration has since disbanded the CSRB.

In its statement, Microsoft said it expects escorts“to perform a variety of technical tasks,” which are outlined in its contracts with vendors. Insight Global said it evaluates prospective hires to ensure they have those skills and trains new employees on“all applicable security and compliance policies provided by Microsoft.”