Pentagon ends Microsoft's use of China-based support staff for DoD cloud
- Reference: 1756484174
- News link: https://www.theregister.co.uk/2025/08/29/pentagon_ends_microsofts_use_of/
- Source link:
Defense secretary Pete Hegseth [1]announced the change in policy Thursday. He said that even though Microsoft designed its policy of using staff based behind the Great Firewall to comply with government contracting rules, it was still an unacceptable risk.
"It blows my mind that I'm even saying these things … [and] that we ever allowed it to happen," Hegseth said of the so-called "digital escorts program."
[2]
ProPublica first [3]reported in July Microsoft was using engineers based in China to support the DoD's Azure use. Those engineers were being remotely supervised by US "escorts," whom Microsoft said are all US citizens with government security clearances. Hegseth said he intended to investigate the matter last month, and yesterday's notice was the first outcome to come from that work.
[4]
[5]
As is likely obvious to anyone except Microsoft, allowing China-based developers to support operations on sensitive government systems is fraught with risk. According to ProPublica, none of the other major cloud providers it spoke to admitted to doing anything similar.
"If you're thinking America first, and common sense, this doesn't pass either of those tests," Hegseth said.
[6]
While developers working from China are no longer supporting DoD systems, according to both Hegseth and [7]Microsoft itself, the investigation is not over.
The DoD said that it sent a "formal letter of concern" to Microsoft over the incident and is "requiring a third-party audit of the digital escorts program to pore over the code and submissions made by Chinese nationals." Hegseth has also tasked the DoD with investigating whether any of the employees "negatively impacted the coding of DoD cloud systems," and the DoD is now requiring that all software vendors identify and end any involvement from of devs in China with DoD cloud systems. A timeline for those investigations wasn't provided.
How many more straws can this camel handle?
Microsoft has been caught being sloppy on security with government agencies before.
Readers may recall when China broke into the Commerce and State Departments' Exchange Online instances [8]in 2023 , or when attackers exploited a [9]Sharepoint vulnerability to hit an unnamed "major western government" [10]in July .
[11]Microsoft reportedly cuts China's early access to bug disclosures, PoC exploit code
[12]Microsoft bigwig says the Feds catching Chinese spies in Exchange Online is the cloud working as intended
[13]Microsoft answered Congress' questions on security. Now the White House needs to act
[14]US officials, experts fear China ransacked Exchange servers for data to train AI systems
Former senior White House cyber policy director AJ Grotto told us last year that he considers [15]Microsoft to be a national security threat . He's not alone, either, with former White House cyber and counter terrorism advisor Roger Cressey also expressing incredulity at the fact Redmond's been allowed to [16]continue rolling in government cash (even [17]Pentagon money ) despite its repeat failures.
"The Chinese are so well prepared and positioned on Microsoft products that in the event of hostilities, we know for a fact that Chinese actors will target our critical infrastructure through Microsoft," Cressey told The Register in an interview earlier this month.
"This is the latest episode of a decades-long process of Microsoft not taking security seriously. Full stop," Cressey added, referring to [18]yet another Exchange vulnerability it revealed in early August.
[19]
We also feel it important to point out that Microsoft's [20]statement on the digital escorts program only mentions ending China-based engineer support for "DoD Government cloud and related services," with no mention of it ending the practice at other government agencies. Microsoft's statement to us didn't clarify matters.
"Microsoft has terminated the use of any China-based engineering teams for DoD cloud systems and we will continue to collaborate with the US Government to ensure we are meeting their expectations," a company spokesperson told The Register in an emailed statement. "We remain committed to providing the most secure services possible to the US government, including working with our national security partners to evaluate and adjust our security protocols as needed.”
Whether the government has actually learned its lesson this time is unclear. Microsoft hasn't suffered much for its previous security failings, some of which included the actual theft of sensitive data.
We reached out to the DoD and White House to see if this has finally made it reconsider giving Microsoft such a high level of control over federal government IT, but neither responded by publication time. ®
Get our [21]Tech Resources
[1] https://www.defense.gov/News/News-Stories/Article/Article/4288992/pentagon-halts-chinese-coders-affecting-dod-cloud-systems/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLIi9r6Z1kHBdbAQgqyq0wAAANQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/07/28/microsoft_china_staffers_us_govt_cloud/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLIi9r6Z1kHBdbAQgqyq0wAAANQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLIi9r6Z1kHBdbAQgqyq0wAAANQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLIi9r6Z1kHBdbAQgqyq0wAAANQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://x.com/fxshaw/status/1946299139068965008/
[8] https://www.theregister.com/2023/07/13/microsoft_alleges_china_behind_espionagefocused/
[9] https://www.theregister.com/2025/07/21/massive_security_snafu_microsoft/
[10] https://www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/
[11] https://www.theregister.com/2025/08/21/microsoft_cuts_chinas_early_access/
[12] https://www.theregister.com/2024/06/14/brad_smith_microsoft_hearing/
[13] https://www.theregister.com/2024/06/15/microsoft_brad_smith_congress/
[14] https://www.theregister.com/2021/08/31/in_brief_security/
[15] https://www.theregister.com/2024/04/21/microsoft_national_security_risk/
[16] https://www.theregister.com/2024/04/05/microsoft_government_contracts/
[17] https://www.theregister.com/2024/06/04/pentagon_doubling_down_on_microsoft/
[18] https://www.theregister.com/2025/08/07/microsoft_cisa_warn_yet_another/
[19] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLIi9r6Z1kHBdbAQgqyq0wAAANQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[20] https://x.com/fxshaw/status/1946299139068965008/
[21] https://whitepapers.theregister.com/
Re: Ha ha ha ha
Imagine being a European country and outsourcing your vital IT to American software company
Re: Ha ha ha ha
Never been a big fan of horror flicks.
Re: Ha ha ha ha
Only someone Microsoft in the head could have thought this was ok. And I don't appreciate having to take the same side as Pete Keggerseth.
Re: Ha ha ha ha
And over the years it has only gotten worse. Completely boggles the mind. Oh wait, I live in the US, mind double boggled.
Microsoft responded
that it has now resolved the issue and will henceforth outsource any DoD software roles to North Korea.
"Microsoft designed its policy of using staff based behind the Great Firewall to comply with government contracting rules"
The letter but not the spirit it seems. Even so, they should have realised it couldn't possibly be acceptable.
I suppose anyone but Microsoft would have found it galling to be lectured on common sense by Mr Signal Leak with him having the right of it.
Why do governments hate using Linux so much?
If it's not Capitalist then it must be Communist?
That's a good question. Many years ago I was a consultant to a local government. I wasn't just proposing stuff and cashing my check; I got to implement them too, which I really enjoyed about that gig. One thing I wanted to do there was move them from Windows to Linux, but I didn't tell anyone that. Instead I was going to first move everyone to applications available on Linux, one at a time, starting with MS Office to LibreOffice. Dear mother of God what a hornet's nest that was. People just don't want to change. I had other fish to fry so I backed down from that idea and made other improvements instead.
At the same time I was the owner/operator of the town's first internet café (which tells you how long ago this was). The machines were all Linux, albeit with a DE that had a Win95-like start button and taskbar. In all the years of operation only one customer even commented on it.
I guess the conclusion to be drawn from those two examples is, get the OS and applications right from the beginning, and users will take what they're given. But heaven help you if you ever dare change those choices later.
Why is DoD outsourcing at all ?
It means that sensitive data will be maintained by staff that are unknown to DoD and prolly not security vetted. Working from who knows where using computers (desktops) of unknown security status (maybe some at their home).
Yes: the agreement might say all sorts of fine things but anyone with any experience in this sort of thing will know that over time security agreements will erode ... eg: the relevant security cleared expert is ill/on-holiday/... so another expert, as a one off, temporarily brought in; temporary slides into often and long term.
On the DoD side: there could be restrictions on what sort of documents/... are put into the MS cloud. Again: that might start well, but sensitive stuff will end up there by accident or as a one off as it is easier than the correct, secure system.
The DoD is big enough to create its own cloud and employ their own staff to keep it working.
Re: Why is DoD outsourcing at all ?
For that matter, is the DoD using cloud platforms for anything at all that is protectively marked/classified? If so, why?
Re: Why is DoD outsourcing at all ?
Because for decades the DoD has mostly existed for private profit. It favors big weapons systems where they can divide up the work so nearly every congressional district has some money coming in for it, that makes it almost impossible to kill even when it is a boondoggle like F35.
he considers Microsoft to be a national security threat
Loads of Americans consider the Trump regime to be a national security threat.
I guess the USG could roll out a Trumpian version of the Nuremberg Race Laws to define those who are American enough to support government tech. Three American grandparents, American partners, etc
Re: he considers Microsoft to be a national security threat
Make it even more strict:- Three American parents!
Re: he considers Microsoft to be a national security threat
But it isn't as though the objection was American citizens of Chinese descent working on this. They were having Chinese citizens who have probably never set foot in the US working on it! I don't even know how that happens, given all the requirements for obtaining clearance to do even the simplest stuff on a DoD project.
There ought to be some consequences to Microsoft for knowingly and blatantly violating US government citizenship and clearance requirements for working on defense related projects. If this was a "small contractor" that only did a billion dollars or so of business a year they'd have all their contracts canceled and end up bankrupt in no time. But Microsoft is told "hey don't do that" while they continue to feed at the taxpayer trough to the tune of billions a year.
Re: he considers Microsoft to be a national security threat
There is no consider to consider. He is a proven security threat several times over and is completely dedicated to doubling (tripling, quadrupling?) down on that.
It's about the $$$
Microsoft is not stupid, naive, or gullible. What Microsoft is is aware that money spent on security issues is money not spent on executive salaries and shareholder dividends.
Re: It's about the $$$
I was the security consultant to a bid to manage a UK Government system, and the 'sales person' was adamant that I must not be permitted to tell them they could not use support staff and systems based in India. He even went up, across and down the management chains to get my direct line manager (also a security consultant) to tell me that a specific named senior manager, had said to tell me that. Otherwise the price would be too high and we would lose the bid.
Well, the data being at the time RESTRICTED, and being contractually obliged by my contract with GCHQ/CESG to prevent said offshoring of support, the bid was not a happy one.
I wonder if they will find out who actually approved this monumentally stupid idea and see if they cannot sue or prosecute them.
I need a drink, and I don't mean water.
I'll say it again
How are U.S. fed systems being constantly breached?
Because they are effing stupid.
Except it probably isn't an accident
No room to give the benefit of the doubt since China has infiltrated MS. But whatever, lets act like its an oversight and sloppy.
Flag: I don't want to worry anyone, but
On the screen image for the story, the stars in the 'Star Spangled Banner' aka the flag of the United States of America, do not appear to be quite right.
See, e.g., https://www.britannica.com/topic/flag-of-the-United-States-of-America
Of course as a 'limey' I am probably not allowed to comment on another country's flag, but as their Supreme Leader has just signed an EO banning the burning of said flag, I think the USAfolk might want to check.
Re: Flag: I don't want to worry anyone, but
Just 48 stars - Maybe Trump is deporting a couple of undesirable States?
Ha ha ha ha
FFS !!!
I just cannot comprehend the level of stupidity that must be everywhere in that company