by Renee Dudley, with research by Doris Burke

ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.

Microsoft is using engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by U.S. personnel — leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found.

The arrangement, which was critical to Microsoft winning the federal government’s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.

But these workers, known as “digital escorts,” often lack the technical expertise to police foreign engineers with far more advanced skills, ProPublica found. Some are former military personnel with little coding experience who are paid barely more than minimum wage for the work.

“We’re trusting that what they’re doing isn’t malicious, but we really can’t tell,” said one current escort who agreed to speak on condition of anonymity, fearing professional repercussions.

The system has been in place for nearly a decade, though its existence is being reported publicly here for the first time.

Microsoft told ProPublica that it has disclosed details about the escort model to the federal government. But former government officials said in interviews that they had never heard of digital escorts. The program appears to be so low-profile that even the Defense Department’s IT agency had difficulty finding someone familiar with it. “Literally no one seems to know anything about this, so I don’t know where to go from here,” said Deven King, spokesperson for the Defense Information Systems Agency.

National security and cybersecurity experts contacted by ProPublica were also surprised to learn that such an arrangement was in place, especially at a time when the U.S. intelligence community and leading members of Congress and the Trump administration view China’s digital prowess as a top threat to the country.

The Office of the Director of National Intelligence has called China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.” One of the most prominent examples of that threat came in 2023, when Chinese hackers infiltrated the cloud-based mailboxes of senior U.S. government officials, stealing data and emails from the commerce secretary, the U.S. ambassador to China and others working on national security matters. The intruders downloaded about 60,000 emails from the State Department alone.

With President Donald Trump and his allies concerned about spying, the State Department announced plans in May to “aggressively revoke visas for Chinese students” — a pledge that the president seems to have walked back. The administration is also trying to arrange the sale of the popular social media platform TikTok, which is owned by a Chinese company that some lawmakers believe could hand over sensitive U.S. user data to Beijing and fuel misinformation with its content recommendations. But experts told ProPublica that digital escorting poses a far greater threat to national security than either of those issues and is a natural opportunity for spies.

“If I were an operative, I would look at that as an avenue for extremely valuable access. We need to be very concerned about that,” said Harry Coker, who was a senior executive at the CIA and the National Security Agency. Coker, who also was national cyber director during the Biden administration, added that he and his former intelligence community colleagues “would love to have had access like that.”

It is difficult to know whether engineers overseen by digital escorts have ever carried out a cyberattack against the U.S. government. But Coker wondered whether it “could be part of an explanation for a lot of the challenges we have faced over the years.”

Microsoft uses the escort system to handle the government’s most sensitive information that falls below “classified.” According to the government, this “high impact level” category includes “data that involves the protection of life and financial ruin.” The “loss of confidentiality, integrity, or availability” of this information “could be expected to have a severe or catastrophic adverse effect” on operations, assets and individuals, the government has said. In the Defense Department, the data is categorized as “Impact Level” 4 and 5 and includes materials that directly support military operations.

John Sherman, who was chief information officer for the Department of Defense during the Biden administration, said he was surprised and concerned to learn of ProPublica’s findings. “I probably should have known about this,” he said. He told the news organization that the situation warrants a “thorough review by DISA, Cyber Command and other stakeholders that are involved in this.”

In an emailed statement, the Defense Information Systems Agency said that cloud service providers “are required to establish and maintain controls for vetting and using qualified specialists,” but the agency did not respond to ProPublica’s questions regarding the digital escorts’ qualifications.

It’s unclear whether other cloud providers to the federal government use digital escorts as part of their tech support. Amazon Web Services and Google Cloud declined to comment on the record for this article. Oracle did not respond to requests for comment.

Microsoft declined to make executives available for interviews for this article. In response to emailed questions, the company provided a statement saying its personnel and contractors operate in a manner “consistent with US Government requirements and processes.”

Global workers “have no direct access to customer data or customer systems,” the statement said. Escorts “with the appropriate clearances and training provide direct support. These personnel are provided specific training on protecting sensitive data, preventing harm, and use of the specific commands/controls within the environment.” In addition, Microsoft said it has an internal review process known as “Lockbox” to “make sure the request is deemed safe or has any cause for concern.” A company spokesperson declined to provide specifics about how it works but said it’s built into the system and involves review by a........

© ProPublica