Defense and security risk Microsoft: Technicians from China managed the US Department of Defense's cloud

“Digital Escorts”: The bizarre trick Microsoft used to circumvent US security laws for China

### A huge security risk? Microsoft had Chinese engineers maintain the Pentagon cloud ### After China revelations: Microsoft immediately changes its policy – ​​but the damage is already done ###

The revelation that Chinese engineers were managing the highly sensitive cloud infrastructure of the US Department of Defense for Microsoft has sparked one of the biggest security controversies in recent memory. What began as a cost-optimized solution for technical support has evolved into a potential national security risk of considerable magnitude.

The exposure of a dangerous practice

For nearly a decade, Microsoft provided the Azure-based cloud infrastructure for the US Department of Defense. This collaboration, which was of enormous strategic and financial importance to Microsoft, was based on a system now considered grossly negligent in its handling of highly sensitive government data.

Investigative research by the American organization ProPublica in July 2025 revealed what many security experts consider an unacceptable security vulnerability: Microsoft outsourced the maintenance of its Defense Department infrastructure to technicians from non-US countries, particularly China. This practice had not only been established for years but was also a crucial factor in Microsoft's success in winning government contracts in the cloud computing sector.

Related to this:

• ProPublica: A little-known Microsoft program allowed the Department of Defense to be exposed to Chinese hackers

The system of “Digital Escorts”

The system developed by Microsoft was based on so-called “digital escorts”—US citizens with appropriate security clearances who were supposed to remotely monitor the work of foreign technicians. These digital escorts acted as intermediaries between Chinese Microsoft engineers and the Pentagon's cloud systems, entering commands and instructions from their foreign colleagues into the government systems.

The problem with this system lies in its fundamental structural weakness: the digital escorts often lacked the technical expertise to properly monitor the work of their Chinese colleagues. Many of these escorts were former military personnel with little programming experience, who received barely more than minimum wage for this critical work. One recent escort summed up the problem: “We trust that what they are doing is not malicious, but we really can’t tell.”.

Access to highly sensitive data

The Chinese engineers potentially had access to information classified as “Impact Level 4 and 5” – data considered highly sensitive but not officially classified as secret. This category includes content that directly supports military operations, as well as other data whose compromise, according to Pentagon guidelines, could have “serious or catastrophic consequences” for national security.

Impact Level 5 (IL5) is specifically designed for unclassified National Security Systems (NSS) that support DoD missions and process Controlled Unclassified Information (CUI), which requires a higher level of protection than IL4. This information can include research and development, logistics data, and other mission-critical content that could cause significant damage if compromised.

Microsoft's business model and compliance circumvention

The path to cloud dominance

In the 2010s, Microsoft established itself as the dominant provider of government cloud services. The company won a $10 billion cloud contract with the Department of Defense in 2019, which was later canceled in 2021 following legal disputes. In 2022, Microsoft, along with Amazon, Google, and Oracle, secured a share of new cloud contracts worth up to $9 billion.

These successes were partly based on Microsoft's ability to leverage global resources while seemingly meeting the stringent security requirements of the US government. The Digital Escort system was a creative but risky solution to a fundamental problem: How could a global technology company with extensive operations in China, India, and Europe meet the restrictive staffing requirements for US government contracts?

FedRAMP and the circumvention of safety regulations

The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA). FedRAMP requires cloud providers seeking to work with the federal government to ensure that background checks are conducted for employees handling highly sensitive federal government data.

The Department of Defense formulated additional cloud guidelines requiring that employees handling classified data be U.S. citizens or permanent residents. These requirements posed a significant challenge for Microsoft, as the company relies on a global workforce from India, China, the EU, and other regions.

Indy Crowley, a senior program manager at Microsoft, developed the Digital Escort program as a way to circumvent FedRAMP and DoD requirements. This system enabled foreign engineers in countries like China to provide adequate support without needing direct access to government systems.

The role of the Defense Information Systems Agency (DISA)

The Defense Information Systems Agency (DISA) serves as the central IT support organization for the Department of Defense and is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). DISA defines the fundamental security requirements that the DoD uses to assess the security posture of a cloud service provider.

Despite its central role in monitoring cloud security, DISA appeared to have little knowledge of Microsoft's Digital Escort program. A DISA spokesperson initially stated that they could not find anyone who had heard of the Escort concept. Later, the agency confirmed that Escorts are used in "selected unclassified environments" of the Department of Defense for "advanced problem diagnosis and resolution by industry experts.".

Lack of communication and oversight

The lack of clarity regarding which government officials were informed about the Digital Escort system raises serious questions about oversight and communication between Microsoft and the relevant government agencies. While Microsoft claimed to have disclosed its practices during the authorization process, government representatives expressed surprise and could not recall any such information.

David Mihelcic, former Chief Technology Officer of DISA, described any visibility into the Defense Department's network as a "huge risk" and characterized the situation drastically: "Here you have one person you really don't trust because they are probably in Chinese intelligence, and the other person is not really capable.".

The immediate reaction and political consequences

Defense Minister Hegseth intervenes

ProPublica's revelations prompted immediate political reactions at the highest levels. Defense Secretary Pete Hegseth responded directly to the reports, announcing in a video message on X (formerly Twitter): “Foreign engineers – from any country, including of course China – should NEVER be allowed access to DoD systems.”.

Hegseth ordered a two-week review of all the Department of Defense's cloud contracts to ensure that no Chinese specialists were involved in ongoing projects. He stated categorically: "China will have absolutely no involvement in our cloud services from now on.".

In his statement, Hegseth also partially blamed the Obama administration, as it had negotiated the original cloud deal. He spoke of “cheap Chinese labor” whose use was “clearly unacceptable” and represented a potential vulnerability in the DoD's computer systems.

Microsoft is responding to the pressure

Faced with political pressure, Microsoft reacted swiftly. Frank X. Shaw, the company's Chief Communications Officer, confirmed on X on Friday that Microsoft had made changes to its support for U.S. government customers "to ensure that no China-based engineering teams provide technical support for DoD government cloud and related services.".

This announcement came just hours after Defense Secretary Hegseth announced an investigation into Microsoft's use of foreign engineers. The speed of the response suggests the company is aware of the seriousness of the situation and the potential impact on its lucrative government contracts.

Senatorial Inquiry

Senator Tom Cotton, chairman of the Senate Intelligence Committee and a member of the Armed Services Committee, sent a letter to Defense Secretary Hegseth on Thursday requesting information and documents about the program. Cotton demanded a list of all DoD contractors employing Chinese personnel, as well as further details on how U.S. “digital escorts” are trained to detect suspicious activity.

“In light of the recent and disturbing reports about Microsoft using engineers in China to maintain DoD systems, I have asked the Secretary of Defense to investigate the matter,” Cotton stated in an X-Post. “We must protect ourselves against all threats in our military’s supply chain.”.

Technical vulnerabilities and security risks

The skills gap problem

One of the most fundamental problems with the Digital Escort system was the significant discrepancy in technical expertise between the Chinese engineers and their American supervisors. This “skills gap” created a dangerous situation in which highly skilled foreign technicians were supervised by significantly less qualified US citizens.

Matthew Erickson, a former Microsoft engineer who worked on the program, vividly explained the problem: “If someone runs a script called 'fix_servers.sh' that actually does something malicious, then [the escorts] would have no idea.” This statement highlights the system's fundamental weakness: the monitors' inability to identify potentially harmful code.

Recruitment and qualification of Digital Escorts

The recruitment of the Digital Escorts was partially handled by Lockheed Martin, with candidates selected primarily for their security clearances rather than their technical skills. Job postings for escort positions requiring DoD security certification started at a minimum wage of $18 per hour.

An escort team of approximately 50 people at Insight Global communicated monthly with Microsoft engineers based in China and entered hundreds of commands into government systems. A project manager warned Microsoft that the hired escorts, due to low pay and a lack of specialized experience, would "not have the right eyes" for the job.

Automated security measures and their limits

Microsoft insisted that the Escort system incorporated multiple layers of security, including approval workflows and automated code reviews through an internal review system called “Lockbox.” This system was designed to ensure that requests were classified as safe or cause for concern.

However, the details of these security measures remained vague, and Microsoft refused to disclose specific information about how the Lockbox system worked, citing security risks. This lack of transparency reinforced critics' concerns about the effectiveness of the implemented safeguards.

Historical context and previous security incidents

Microsoft's history with Chinese hackers

The controversy surrounding the Chinese engineers is particularly problematic given Microsoft's documented history of Chinese cyberattacks. The company has repeatedly been targeted by hackers from China and Russia who have successfully infiltrated Microsoft systems.

In 2023, Chinese hackers managed to steal thousands of emails from the email accounts of the Ministry of Foreign Affairs and the Ministry of Commerce. These incidents underscore the real threat posed by Chinese cyber operations and make Microsoft's decision to allow Chinese engineers to work with Pentagon systems even more questionable.

Current global security threats

Just days after uncovering the Digital Escort scandal, Microsoft was hit by another significant security incident. In July 2025, a major vulnerability in a widely used Microsoft product allowed several Chinese hacking groups to compromise dozens of organizations worldwide and at least two US federal agencies.

This close timing of the incidents reinforces concerns about Microsoft's ability to maintain adequate security measures against Chinese cyber threats. Charles Carmakal, Chief Technology Officer at Google's Mandiant, warned: "It is critical to understand that multiple actors are now actively exploiting this vulnerability.".

The Security and Defence Hub offers expert advice and up-to-date information to effectively support companies and organizations in strengthening their role in European security and defence policy. Working closely with the SME Connect Defence Working Group, it particularly promotes small and medium-sized enterprises (SMEs) that wish to further develop their innovative capacity and competitiveness in the defence sector. As a central point of contact, the Hub thus creates a crucial bridge between SMEs and European defence strategy.

Related to this:

• The SME Connect Defence Working Group – Strengthening SMEs in European Defence

Cybersecurity Maturity Model Certification (CMMC) and Compliance Challenges

CMMC in response to security vulnerabilities

The Cybersecurity Maturity Model Certification (CMMC) program was developed by the Department of Defense to strengthen cybersecurity in the defense industry and better protect sensitive unclassified information. CMMC is designed to enforce the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The CMMC 2.0 framework, introduced in November 2021, comprises three maturity levels, each with specific, increasingly stringent requirements. Level 1 focuses on basic cyber hygiene practices for contractors handling FCI, while Levels 2 and 3 are designed for organizations processing CUI and requiring higher levels of security.

Microsoft's CMMC compliance and the escort problem

The revelation of the Digital Escort system raises serious questions about Microsoft's compliance with CMMC requirements. CMMC Level 2 and higher are specifically designed to protect CUI – precisely the type of information that Chinese engineers potentially had access to through the Escort system.

Microsoft claims that customers can demonstrate CMMC compliance across various cloud environments, including the commercial cloud for lower security levels and the US sovereign cloud for higher security requirements. However, the fact that Chinese engineers had access to IL4 and IL5 data suggests a potential violation of CMMC's fundamental principles.

Impact Level Classifications and their significance

The DoD Impact Level Classifications are a critical element for understanding the severity of the Digital Escort scandal. Impact Level 4 (IL4) covers Controlled Unclassified Information (CUI), while Impact Level 5 (IL5) is designed for unclassified National Security Systems (NSS) data.

IL-5 information requires a higher level of protection than IL-4 and includes mission-critical information and NSS data. Unauthorized disclosure of IL-5 information could have serious or catastrophic consequences for national security. The fact that Chinese engineers potentially had access to both categories makes this security vulnerability particularly alarming.

International perspectives and geopolitical implications

US-China cyber conflict in context

The digital escort scandal is occurring against a backdrop of deteriorating US-Chinese relations and an ongoing trade war—the kind of conflict that experts say could lead to Chinese cyber retaliation. The US government recognizes that China's cyber capabilities represent one of the most aggressive and dangerous threats to the United States.

Harry Coker, a former high-ranking official with the CIA and NSA, described the escort structure bluntly: “If I were an operative, I would view this as a pathway for extremely valuable access. We need to be very concerned about this.” This assessment by an intelligence expert underscores the potential severity of the security vulnerability from an intelligence perspective.

Impact on the global tech supply chain

The scandal raises broader questions about the security of third-party software providers used throughout the federal government. In December 2024, Chinese hackers compromised BeyondTrust, a private cybersecurity provider, to gain access to U.S. Treasury Department workstations, including those in the Office of Foreign Asset Control and the office of Treasury Secretary Janet Yellen.

These incidents demonstrate the vulnerability of the complex technological supply chains upon which modern governments depend. They also highlight the difficulty of maintaining truly secure national systems in a globalized world where everything is international and profoundly international, as security expert Bruce Schneier observed.

Industry reactions and expert opinions

Security experts are sounding the alarm

Several cybersecurity experts and former government officials expressed concern about the revelations. John Sherman, who served as Chief Information Officer for the Department of Defense during the Biden administration, said he was surprised and concerned by ProPublica's findings: "I probably should have known about this." He stated that the situation warranted a "thorough review by DISA, Cyber ​​Command, and other stakeholders involved.".

The Foundation for Defense of Democracies characterized the situation as the Pentagon having “granted China access to its systems for over a decade.” This organization emphasized that the DoD program allowed Chinese engineers access to Pentagon systems, while potentially enabling them to introduce vulnerabilities into DoD systems under the guise of software maintenance.

Microsoft's defense and transparency efforts

Microsoft defended the escort system as compliant with government standards. A company spokesperson stated: “For some technical inquiries, Microsoft engages our team of global subject matter experts to provide support through authorized US personnel, in accordance with US government requirements and processes.”.

The company emphasized that “all employees and contractors with privileged access must pass federally approved background checks” and that “global support staff do not have direct access to customer data or customer systems.” Microsoft also claimed to use multiple layers of security, including approval workflows and automated code reviews, to prevent threats.

Unusually for the industry, Microsoft agreed to share its Basis of Equivalence (BoE) documents with customers under non-disclosure agreements, demonstrating a level of transparency that many other cloud service providers do not offer.

Long-term impacts and need for reform

Structural changes in government IT

The digital escort scandal could lead to fundamental changes in how the US government manages and oversees its IT infrastructure. The revelations have already resulted in increased scrutiny of defense contractor practices and stricter requirements for staffing sensitive technology projects.

Analysts expect similar steps across the industry as legislators and military officials continue to focus on cybersecurity risks and the integrity of the supply chain for government IT systems. The ongoing review of all Department of Defense cloud contracts could lead to an industry-wide reassessment of security practices.

Impact on other cloud providers

Although the current revelations focus on Microsoft, it is unclear whether other cloud providers working for the US government, such as Amazon Web Services or Google Cloud, also rely on digital escorts. These companies declined to comment when contacted by ProPublica.

The possibility that similar practices are widespread across the industry could lead to a comprehensive review and reform of cloud security practices for government contracts. Defense Secretary Hegseth indicated that the investigation could examine vendors certified through the Cybersecurity Maturity Model Certification (CMMC) program.

Cost and efficiency vs. safety

The scandal raises fundamental questions about the balance between cost-efficiency and security in government IT contracts. Microsoft's use of Chinese engineers was partly motivated by the desire to keep costs down while still providing highly skilled technical support.

Indy Crowley, who developed the Digital Escort program, told ProPublica: “It’s always a balance between cost, effort, and expertise. So you find what’s good enough.” This mentality, which allowed Microsoft to leverage its global workforce while seemingly meeting government requirements, could now be subject to a fundamental reassessment.

Technological innovations and future prospects

Automation and AI in cybersecurity

The revelations about digital escorts underscore the need for more advanced automated security systems that can complement or replace human oversight. Modern cybersecurity technologies, including AI-driven threat detection and automated code analysis, could address some of the weaknesses of the human escort system.

Microsoft and other cloud providers are already investing heavily in AI-based security solutions that can detect potentially harmful activity in real time. These technologies could play a critical role in reducing the need for human intermediaries in the future, who may lack the necessary technical skills.

Zero-trust architectures and their implementation

The scandal also reinforces the movement towards zero-trust security architectures, which assume that no entity – neither inside nor outside the network perimeter – is automatically trustworthy. These approaches require continuous verification and monitoring of all users and devices before access to systems and data is granted.

For government cloud services, implementing robust zero-trust principles could mitigate some of the risks associated with using foreign technical assistance. Such systems would require that every action—regardless of who performs it—be verified through multiple layers of security.

Economic impact and market dynamics

Impact on Microsoft's government business

Microsoft's government business is a significant revenue driver for the company. According to its latest quarterly earnings report, Microsoft generates substantial revenue from government contracts, with more than half of its $70 billion in first-quarter revenue coming from US-based customers.

The Azure cloud services division, which is affected by the controversy, generates more than 25% of the company's total revenue, according to analysts. Any long-term impairment of Microsoft's ability to win or retain government contracts could have significant financial repercussions.

Competitive impact in the cloud industry

The scandal could benefit Microsoft's competitors in the cloud industry, particularly Amazon Web Services (AWS), already the largest cloud provider, and Google Cloud. If government agencies begin to question Microsoft's security practices, they might turn to alternative providers that can offer more robust security guarantees.

The controversy could also lead to an industry-wide upgrade of security standards, as vendors try to distance themselves from the issues exposed in Microsoft's case. This could result in higher costs, but also in improved security practices across the industry.

Impact on the global tech supply chain

The revelations also raise broader questions about the sustainability of global technology supply chains in a time of geopolitical tension. Many technology companies rely on talent and resources from various countries, including those considered potential adversaries.

The trend toward “friend-shoring” or “near-shoring” of critical technology services could accelerate as governments seek to reduce their reliance on potentially problematic foreign suppliers. This could lead to significant changes in how global technology companies are structured and operate.

Regulatory reforms and political consequences

Potential legislative changes

The digital escort scandal could lead to significant regulatory reforms aimed at preventing similar security breaches in the future. Congress could introduce stricter requirements for employing foreign workers on sensitive government projects or mandate expanded background checks and monitoring requirements.

Possible reforms could also include expanded transparency requirements for cloud service providers working with the government, including detailed reporting on the nationality and qualifications of all employees who have access to government systems.

Impact on future procurement practices

The controversy could also lead to fundamental changes in government procurement practices. Future contracts could include stricter security requirements, expanded audit rights, and harsher penalties for security breaches.

The government could also begin to prioritize security more strongly over costs, which could lead to higher spending on IT services, but also to more robust security guarantees. This could be especially true for highly sensitive projects involving national security data.

The Microsoft Digital Escort scandal has exposed a critical vulnerability in how the US government manages and monitors its most sensitive IT systems. The revelation that Chinese technicians had access to Pentagon cloud systems for over a decade has not only triggered immediate political and corporate responses but has also raised fundamental questions about the balance between cost-effectiveness and national security.

Defense Secretary Hegseth's swift response and Microsoft's immediate policy changes demonstrate an awareness of the gravity of the situation. However, the implications of this scandal extend far beyond a single corporate practice. They touch upon the fundamental question of how democratic societies can protect their most critical digital infrastructures in an increasingly interconnected and geopolitically charged world.

The long-term implications will likely include a fundamental reassessment of cloud security practices, stricter regulatory requirements, and potentially a redesign of how global technology companies interact with national governments. While the immediate crisis may be addressed by Microsoft's policy changes and the Pentagon's investigation, the broader challenge of balancing security and efficiency in a globalized technological landscape remains.

I would be happy to serve as your personal advisor.

Head of Business Development

Chairman SME Connect Defense Working Group

LinkedIn

 

 

I would be happy to serve as your personal advisor.

You can contact me at wolfenstein∂xpert.digital or

Just call me on +49 7348 4088 965 .

LinkedIn