Microsoft Says It Has Stopped Using China-Based Engineers to Support Defense Department Computer Systems

Microsoft says it has stopped using China-based engineers to support Defense Department cloud computing systems after ProPublica revealed the practice in an investigation this week.

“In response to concerns raised earlier this week about US-supervised foreign engineers, Microsoft has made changes to our support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services,” the company’s chief communications officer, Frank Shaw, announced on X Friday afternoon.

Microsoft’s announcement came hours after Defense Secretary Pete Hegseth said his agency would look into Microsoft’s use of foreign-based engineers to help maintain the highly sensitive cloud systems.

“Foreign engineers — from any country, including of course China — should NEVER be allowed to maintain or access DoD systems,” Hegseth wrote in a post on X Friday.

In its investigation, ProPublica detailed how Microsoft uses engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by U.S. personnel — leaving some of the nation’s most sensitive data vulnerable to hacking or spying from its leading cyber adversary. The arrangement, which was critical to Microsoft winning the federal government’s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.

But these workers, known as “digital escorts,” often lack the technical expertise to police the work of foreign engineers with far more advanced skills, ProPublica found.

Earlier Friday, Republican Sen. Tom Cotton of Arkansas, chair of the Select Committee on Intelligence, cited ProPublica in a letter to Hegseth asking for details about which DOD contractors use Chinese personnel to maintain the department’s information and computing systems.

China poses “one of the most aggressive and dangerous threats to the United States, as evidenced by its infiltrations of our critical infrastructure, telecommunications networks and supply chains,” Cotton wrote in the letter, which he posted on X. “DOD must guard against all potential threats within its supply chain, including those from subcontractors.”

Since 2011, cloud computing companies like Microsoft that wanted to sell their services to the U.S. government had to establish how they would ensure that personnel working with federal data would have the requisite “access authorizations” and background screenings. Additionally, the Defense Department requires that people handling sensitive data be U.S. citizens or permanent residents.

This presented an issue for Microsoft, which relies on a vast global workforce with significant operations in India, China and the European Union.

So the tech giant enlisted staffing companies to hire U.S.-based digital escorts, who had security clearances that authorized them to access sensitive information, to take direction from the overseas experts. An engineer might briefly describe the job to be completed — for instance, updating a firewall, installing an update to fix a bug or reviewing logs to troubleshoot a problem. Then, with little review, an escort would copy and paste the engineer’s commands into the federal cloud.

“We’re trusting that what they’re doing isn’t malicious, but we really can’t tell,” one escort told ProPublica.

In an earlier statement in response to ProPublica’s investigation, Microsoft said that its personnel and contractors operate in a manner “consistent with US Government requirements and processes.”

The company’s global workers “have no direct access to customer data or customer systems,” the statement said. Escorts “with the appropriate clearances and training provide direct support. These personnel are provided specific training on protecting sensitive data, preventing harm, and use of the specific commands/controls within the environment.”

In addition, Microsoft said it has an internal review process known as “Lockbox” to “make sure the request is deemed safe or has any cause for concern.”

Insight Global — a contractor that provides digital escorts to Microsoft — said it “evaluates the technical capabilities of each resource throughout the interview process to ensure they possess the technical skills required” for the job and provides training.