The Silent Risk: How Microsoft's China-Based Engineers Exposed Pentagon Cloud Systems
A national security firestorm erupts as Microsoft's decade-long practice of using China-based engineers to maintain sensitive Defense Department cloud systems sparks urgent questions about contractor oversight and foreign access to U.S. military infrastructure.
Executive Summary
Microsoft's reliance on China-based engineers to maintain sensitive Pentagon cloud systems—without proper disclosure—has sparked a national security firestorm, exposing serious gaps in federal contractor oversight and raising urgent concerns about foreign access to U.S. defense infrastructure.
For nearly a decade, Microsoft employed China-based engineers to provide critical technical support for the Department of Defense (DoD) cloud computing systems, particularly on the Azure Government platform. The arrangement relied on U.S.-based "digital escorts" with security clearances to supervise these foreign engineers, but these workers often lacked the technical expertise to police foreign engineers with far more advanced skills, leaving some of the nation's most sensitive data vulnerable to hacking from its leading cyber adversary.

The Digital Escort System: A Flawed Security Model
How It Worked
The arrangement was critical to Microsoft winning the federal government's cloud computing business a decade ago and relied on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.
The process followed a concerning pattern:
- Ticket Filing: A Microsoft engineer in China files an online "ticket" to take on technical support work
- Digital Meeting: The engineer and the U.S.-based escort meet on Microsoft Teams conferencing platform
- Command Transfer: The engineer sends computer commands to the U.S. escort, presenting an opportunity to insert malicious code
- System Access: The escort, who may not have advanced technical expertise, inputs the commands into the federal cloud system
The Skills Gap Crisis
A Microsoft contractor called Insight Global posted an ad in January seeking an escort to bring engineers without security clearances "into the secured environment" of the federal government and to "protect confidential and secure information from spillage." The pay started at $18 an hour.
"People are getting these jobs because they are cleared, not because they're software engineers," said one escort who agreed to speak anonymously. Each month, the company's roughly 50-person escort team fields hundreds of interactions with Microsoft's China-based engineers and developers, inputting those workers' commands into federal networks.
"We're trusting that what they're doing isn't malicious, but we really can't tell," said one current escort who agreed to speak on condition of anonymity, fearing professional repercussions.
What Was at Stake: High-Impact Defense Systems
Classification Levels Exposed
Microsoft used its escort system to handle sensitive government information that falls below "classified." At the Defense Department, the data is categorized as "Impact Level" 4 and 5, which includes materials directly supporting military operations.
According to the government, this "high impact level" category includes "data that involves the protection of life and financial ruin." The "loss of confidentiality, integrity, or availability" of this information "could be expected to have a severe or catastrophic adverse effect" on operations, assets and individuals.
Azure Government Platform at Risk
The change impacts the work of Microsoft's Azure cloud services division, which analysts estimate now generates more than 25% of the company's revenue. Azure Government was the first hyperscale cloud services platform to be awarded a DoD IL5 Provisional Authorization (PA) by the Defense Information Systems Agency (DISA).
The ProPublica Investigation: Bringing Truth to Light
Key Revelations
The issue burst into the public eye after a thorough ProPublica investigation revealed the true scope of Microsoft's offshore technical support model. The investigation found that:
- The system has been in place for nearly a decade, though its existence is being reported publicly here for the first time
- Former government officials said in interviews that they had never heard of digital escorts
- "Literally no one seems to know anything about this, so I don't know where to go from here," said Deven King, spokesperson for the Defense Information Systems Agency
Historical Context and Warnings Ignored
Over the years, various people involved in the work, including a Microsoft cybersecurity leader, warned the company that the arrangement is inherently risky, but the company launched and expanded it anyway.
When Microsoft brought the escort concept to executives, colleagues had mixed reactions. Tom Keane, then the corporate vice president for Microsoft's cloud platform, Azure, embraced the idea as it would allow the company to scale up. But a former employee involved in cybersecurity strategy opposed the concept, viewing it as too risky from a security perspective. "People who got in the way of scaling up did not stay," the former employee told ProPublica.
The Critical Security Plan Omission
What Microsoft Failed to Disclose
Microsoft, as a provider of cloud services to the U.S. government, is required to regularly submit security plans to officials describing how the company will protect federal computer systems. Yet in a 2025 submission to the Defense Department, the tech giant left out key details, including its use of employees based in China, the top cyber adversary of the U.S., to work on highly sensitive department systems.
The document belies Microsoft's repeated assertions that it disclosed the arrangement to the federal government, showing exactly what was left out as it sold its security plan to the Defense Department.
Regulatory Requirements vs. Reality
Since 2011, cloud computing companies like Microsoft that wanted to sell their services to the U.S. government had to establish how they would ensure that personnel working with federal data would have the requisite "access authorizations" and background screenings. Additionally, the Defense Department requires that people handling sensitive data be U.S. citizens or permanent residents.
Microsoft's response was to create the digital escort system as "the path of least resistance," according to former Microsoft program manager Indy Crowley.
The China Threat: Why This Matters
The Geopolitical Context
The Office of the Director of National Intelligence has called China the "most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks." One of the most prominent examples of that threat came in 2023, when Chinese hackers infiltrated the cloud-based mailboxes of senior U.S. government officials, stealing data and emails from the commerce secretary, the U.S. ambassador to China and others working on national security matters. The intruders downloaded about 60,000 emails from the State Department alone.
Legal Vulnerability
Chinese laws allow government officials there to collect data "as long as they're doing something that they've deemed legitimate," said Jeremy Daum, senior research fellow at the Paul Tsai China Center at Yale Law School. Microsoft's China-based tech support for the U.S. government presents an opening for espionage, "whether it be putting someone who's already an intelligence professional into one of those jobs, or going to the people who are in the jobs and pumping them for information. It would be difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement."
Expert Assessment
"If I were an operative, I would look at that as an avenue for extremely valuable access. We need to be very concerned about that," said Harry Coker, who was a senior executive at the CIA and the National Security Agency. Coker, who also was national cyber director during the Biden administration, added that he and his former intelligence community colleagues "would love to have had access like that."
The Political Firestorm: Congressional Response
Senator Tom Cotton's Investigation
Senator Tom Cotton (R-Arkansas), Chairman of the Senate Select Committee on Intelligence, sent multiple letters to Secretary of Defense Pete Hegseth, requesting information about Department of Defense contractors that hire Chinese personnel to provide maintenance and services to department systems.
"The U.S. government recognizes that China's cyber capabilities pose one of the most aggressive and dangerous threats to the United States, as evidenced by infiltration of our critical infrastructure, telecommunications networks, and supply chains. DoD must guard against all potential threats within its supply chain, including those from subcontractors."
Broader Congressional Concerns
"Foreign persons should never be allowed to access DoD systems, regardless of whether a U.S. citizen is supervising," Cotton wrote in a subsequent letter. "The Department, particularly the Under Secretary of Defense for Intelligence and Security, has the authority to immediately make these policy changes. I urge you to do so now."
Sen. Jeanne Shaheen (D-N.H.), the top Democrat on the Senate Foreign Relations Committee, also raised questions in a letter to Defense Secretary Pete Hegseth about the Pentagon's implementation of a 2018 provision requiring Defense contractors disclose when a country considered a cyber threat has asked them to share their source code.
Government Response: Swift Action and Reviews
Defense Secretary Pete Hegseth's Response
"This is obviously unacceptable, especially in today's digital threat environment," Defense Secretary Pete Hegseth said. He described the architecture as "a legacy system created over a decade ago, during the Obama administration." The Defense Department launched a review of its systems in search for similar activity.
"Foreign engineers — from any country, including of course China — should NEVER be allowed to maintain or access DOD systems," Hegseth wrote in a post on X.
Pentagon Investigation
Hegseth did not provide further details about the review but said that "some tech companies" use these models to assist with the department's cloud services, hinting that other major Pentagon cloud providers might have similar arrangements.
Microsoft's Response and Damage Control
Immediate Changes
"In response to concerns raised earlier this week about US-supervised foreign engineers, Microsoft has made changes to our support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services," Microsoft's chief communications officer, Frank Shaw, announced on X Friday afternoon.
Broader Government Impact
But it turns out the Pentagon was not the only part of the government facing such a threat. For years, Microsoft has also used its global workforce, including China-based personnel, to maintain the cloud systems of other federal departments, including parts of Justice, Treasury and Commerce.
This work has taken place in what's known as the Government Community Cloud, which is intended for information that is not classified but is nonetheless sensitive.
Systemic Issues: Why This Happened
The Scaling Challenge
This presented an issue for Microsoft, given its reliance on a vast global workforce, with significant operations in India, China and the European Union. So the company tapped a senior program manager named Indy Crowley to put federal officials at ease.
Crowley told ProPublica that Defense Department officials asked him who from Microsoft would be "behind the curtain" working on the cloud. Given the department's citizenship requirements, the officials raised the possibility of Microsoft "hiring a bunch of U.S. citizens to maintain the federal cloud" directly. For Microsoft, the suggestion was a nonstarter because the increased labor costs of implementing it broadly would make a cloud transition prohibitively expensive for the government.
Corporate Priorities
On its march to becoming one of the world's most valuable companies, Microsoft has repeatedly prioritized corporate profit over customer security. Last year, ProPublica reported that the tech giant ignored one of its own engineers when he repeatedly warned that a product flaw left the U.S. government exposed; state-sponsored Russian hackers later exploited that weakness in one of the largest cyberattacks in history.
Long-Term Implications: What Needs to Change
Federal Oversight Reforms
The Microsoft case underlines the urgent need for transparent contractor security protocols and rigorous government oversight. Key areas requiring attention include:
- Enhanced FedRAMP Requirements: The DoD released a memo clarifying the stringent requirements of FedRAMP moderate "equivalency"—requiring 100 percent compliance with the latest FedRAMP moderate security control baseline through an assessment conducted by a FedRAMP-recognized 3rd Party Assessment Organization (3PAO).
- CMMC Implementation: DoD establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
- Mandatory Disclosure Requirements: Stricter certification mechanisms and mandatory disclosures of foreign staffing on sensitive projects.
Industry-Wide Scrutiny
The congressional oversight suggests that Microsoft and other high-profile government contractors with large Chinese businesses are likely to face intense scrutiny over their supply-chain security practices.
Lessons Learned: The Path Forward
Key Takeaways
- Transparency is Essential: The case demonstrates the critical importance of full disclosure in security documentation and contractor relationships.
- Technical Supervision Matters: Digital escorts must have adequate technical expertise to effectively supervise foreign personnel, not just security clearances.
- Supply Chain Vigilance: Government agencies need robust mechanisms to identify and assess foreign involvement in sensitive technical support operations.
- Regulatory Alignment: Better coordination between FedRAMP, CMMC, and other security frameworks to prevent exploitation of regulatory gaps.
Ongoing Risks
The risk may be getting more serious by the day, as U.S.-China relations worsen amid a simmering trade war — the type of conflict that experts say could result in Chinese cyber retaliation.
It is difficult to know whether engineers overseen by digital escorts have ever carried out a cyberattack against the U.S. government. But former intelligence official Harry Coker wondered whether it "could be part of an explanation for a lot of the challenges we have faced over the years."
Conclusion
Microsoft's handling of China-based engineers in Pentagon cloud projects has exposed fundamental vulnerabilities in federal security oversight and contract compliance, forcing a reevaluation of how foreign personnel are monitored and necessitating new standards to keep national defense data safe.
John Sherman, who was chief information officer for the Department of Defense during the Biden administration, said he was surprised and concerned to learn of ProPublica's findings. "I probably should have known about this," he said. He told the news organization that the situation warrants a "thorough review by DISA, Cyber Command and other stakeholders that are involved in this."
The incident serves as a stark reminder that in an era of increasing cyber threats and geopolitical tensions, the security of U.S. defense infrastructure depends not just on advanced technology, but on rigorous oversight, transparent practices, and a clear understanding of the human elements that can either protect or compromise our most sensitive systems.
As cloud computing becomes ever more central to military and national security operations, the lessons from this incident must drive immediate reforms to ensure that convenience and cost savings never again compromise the security of America's defense infrastructure.
This investigation is based on reporting by ProPublica and subsequent government responses, congressional inquiries, and industry analysis conducted in July and August 2025.