What Happened
The Defense Department has tightened cybersecurity requirements for tech companies that sell cloud computing services to the Pentagon.
The updates, issued this month, ban IT vendors from using China-based personnel to work on department computer systems and require companies to maintain a digital paper trail of maintenance performed by their foreign engineers.
Background
The changes follow a ProPublica investigation that exposed how Microsoft used China-based engineers to maintain government computer systems for nearly a decade — a practice that left some of the country’s most sensitive data vulnerable to hacking from its leading cyber adversary.
U.S.-based supervisors, known as “digital escorts,” were supposed to serve as a check on these foreign employees, but we found they often lacked the expertise needed to effectively supervise engineers with far more advanced technical skills.
What They Said
The Defense Department now says in its “Security Requirements Guide” that only “personnel from non-adversarial countries” may work on its cloud systems and that the escorts supervising those foreign workers “must be technically qualified in the code/system or technology they are providing access to.”
In addition, cloud providers must maintain detailed audit logs, a digital trail of actions in computer systems. The logs “must include identification of the escort and escorted,” including country of origin, as well as details of commands executed and settings changed.
Why It Matters
Until our reporting, top Pentagon officials said they had been unaware of Microsoft’s digital escort system, which the company developed as a work-around to a Defense Department requirement that people handling sensitive data be U.S. citizens or permanent residents.
Cybersecurity and intelligence experts have told ProPublica that the arrangement poses major risks to national security, given that laws in China grant the country’s officials broad authority to collect data. Leading members of Congress, in turn, have called on the Defense Department to strengthen its security requirements while blasting Microsoft for what some Republicans called “a national betrayal.”
The Pentagon is now conducting an investigation into the digital escort program, with a focus on Microsoft’s China-based engineers.
Response
Following ProPublica’s reporting, Microsoft announced in July that it would stop using China-based engineers to service Defense Department cloud systems. In a statement for this article, a spokesperson said the company was committed to implementing the department’s new requirements.
“Our commitment to national security is foundational, and we remain focused on providing the most secure services possible to the US government,” the spokesperson said. “We recently implemented changes to our Department support model, and will continue to work with our national security partners to evaluate and adjust our security protocols in light of the new directives.”
Doris Burke contributed research. ProPublica is a nonprofit newsroom that investigates abuses of power.
