Microsoft's "Digital Escort" Program Could Leave Sensitive Government Info Vulnerable to Espionage
A ProPublica investigation has uncovered a concerning flaw in Microsoft's approach to supporting its cloud computing services with sensitive government data. The company's use of "digital escorts" - U.S.-based employees who oversee foreign tech support teams in China - raises serious questions about the security of Pentagon computers and potentially exposes them to cyberattacks from China, the nation's greatest cyber adversary.
A Global Workforce with Sensitive Data
Microsoft has long struggled to maintain a workforce that meets its strict requirements for handling sensitive government data. The company relies on engineers in China to help maintain highly sensitive Defense Department computer systems, but this presents a challenge given the prohibition on U.S. citizens working directly with federal data.
The Digital Escort Program
To get around this issue, Microsoft established its low-profile "digital escort" program, which hires U.S.-based employees with security clearances to take direction from overseas experts in China. The digital escorts' role is to copy and paste commands into the federal cloud system, handling data that falls below "classified." This information includes sensitive materials that directly support military operations.
However, ProPublica's investigation reveals that the digital escorts may not have the advanced technical expertise needed to spot problems. "We're trusting that what they're doing isn't malicious, but we really can't tell," said one current escort. The program poses a significant security risk because it creates an opportunity for spies to insert malicious code into Defense Department computer systems.
The Possibility of Malicious Activity
A former Microsoft engineer acknowledged that the digital escort model could expose Pentagon data to cyberattacks. "If someone ran a script called 'fix_servers.sh' but it actually did something malicious, then [escorts] would have no idea," said Matthew Erickson. This lack of oversight raises serious concerns about the potential for espionage.
Safeguards and Expert Analysis
Microsoft claims that its digital escort program is government-approved and provides safeguards to protect sensitive data. However, experts warn that these controls may not be sufficient to prevent malicious activity.
"If I were an operative, I would look at that as an avenue for extremely valuable access," said Harry Coker, a former senior executive at the CIA and National Security Agency. "We need to be very concerned about that."
The Opening for Chinese Espionage
Chinese laws allow government officials to collect data "as long as they're doing something that they've deemed legitimate," said Jeremy Daum, a senior research fellow at the Paul Tsai China Center at Yale Law School. Microsoft's use of digital escorts presents an opening for Chinese espionage.
Microsoft says its personnel and contractors operate in a manner consistent with US Government requirements and processes. However, former Pentagon officials said they had never heard of the digital escort program, and the Defense Department's IT agency didn't know about it until reached by ProPublica.
"I probably should have known about this," said John Sherman, former chief information officer for the Defense Department during the Biden administration. "This system is a major security risk for the department." The Defense Information Systems Agency has called for a thorough review of the program.