Pentagon Probes Microsoft’s Use of Chinese Coders

The U.S. Department of Defense is reviewing Microsoft’s use of Chinese nationals to write code for military cloud infrastructure following reports that the tech firm used inexperienced U.S. citizens to putatively oversee foreign coders.

See Also: New Attacks. Skyrocketing Costs. The True Cost of a Security Breach.

Defense Secretary Pete Hegseth said Wednesday the Pentagon became aware of Microsoft’s foreign coder program in July and took steps to dismantle the nearly decade-long arrangement. Under the program, Microsoft used a global workforce – including employees in China – by having cleared personnel in the United States called “digital escorts” to review foreign coders’ work.

A July exposé by ProPublica found that some digital escorts had little coding experience and that Pentagon officials were not familiar with the practice.

Hegseth described the program as “obviously unacceptable – especially in today’s digital threat environment” and said he directed officials to ensure the system was no longer active across the entire department. The review comes after Microsoft said in July that it made changes “to assure that no China-based engineering teams are providing technical assistance for DOD government cloud and related services.”

It is unclear whether Microsoft outsourcing to China could have exposed sensitive U.S. data or given malicious actors access into military systems. The tech giant used the escort program to handle information that fell below the classified level. But Chinese coders may have had access to cloud systems categorized as “high impact” by federal cloud security standards body FedRAMP. System penetrations or outages at that level are expected to have “severe or catastrophic adverse effect on organizational operations” and individuals.

“The use of Chinese nationals to service Department of Defense cloud environments? It’s over,” Hegseth said. He added that the Pentagon has issued a formal letter of concern to Microsoft requiring a third-party audit of its digital escorts program and alleging the company performed a “breach of trust” by hiring Chinese engineers for U.S. military projects. Microsoft did not immediately respond to a request for comment.

Sen. Tom Cotton, R-Ark., chair of the Senate Select Committee on Intelligence, urged Hegseth in a July letter to provide Congress with more information about DOD contractors that employ Chinese personnel to provide maintenance or other services on government systems, and to ensure the department is guarded “against all potential threats within its supply chain, including those from subcontractors.”

China is a main aggressor in cyberspace, with Beijing-linked hackers breaching the U.S. sanctions office in a recent attack on the Treasury department, embedding themselves in nationwide telecom networks, critical infrastructure and snooping around federal networks.

Experts have noted in recent congressional testimony that the U.S. has “precious little to show” for its cyber defenses in the wake of the Salt Typhoon hacking (see: Experts See Little Progress After Major Chinese Telecom Hack).