• This is a political forum that is non-biased/non-partisan and treats every person's position on topics equally. This debate forum is not aligned to any political party. In today's politics, many ideas are split between and even within all the political parties. Often we find ourselves agreeing on one platform but some topics break our mold. We are here to discuss them in a civil political debate. If this is your first visit to our political forums, be sure to check out the RULES. Registering for debate politics is necessary before posting. Register today to participate - it's free!

a-microsoft-project-could-expose-the-pentagon-to-chinese-hackers/

Lord Tammerlain

DP Veteran
Joined
Jan 25, 2010
Messages
35,223
Reaction score
18,851
Gender
Undisclosed
Political Leaning
Undisclosed

Chinese tech support: Microsoft is using engineers in China to help maintain the Defense Department’s computer systems with minimal supervision by US personnel.
Skills gap: Digital escorts often lack the technical expertise to police foreign engineers with far more advanced skills, leaving highly sensitive data vulnerable to hacking.
Ignored warnings: Various people involved in the work told ProPublica that they warned Microsoft that the arrangement is inherently risky, but the company launched and expanded it anyway.
Microsoft is using engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by US personnel — leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found.


Never expected this
 

...Only U.S. citizens with security clearances are permitted to access the Defense Department’s most sensitive data.

Since 2011, cloud computing companies that wanted to sell their services to the U.S. government had to establish how they would ensure that personnel working with federal data would have the requisite “access authorizations” and background screenings. Additionally, the Defense Department requires that people handling sensitive data be U.S. citizens or permanent residents.

This presented an issue for Microsoft, which relies on a vast global workforce with significant operations in India, China and the European Union.

Microsoft established its low-profile “digital escort” program to get around this prohibition.


Microsoft’s foreign workforce is not permitted to access sensitive cloud systems directly, so the tech giant hired U.S.-based “digital escorts,” who had security clearances that authorized them to access sensitive information, to take direction from the overseas experts. The engineers might briefly describe the job to be completed — for instance, updating a firewall, installing an update to fix a bug or reviewing logs to troubleshoot a problem. Then the escort copies and pastes the engineer’s commands into the federal cloud.

The problem, ProPublica found, is that digital escorts don’t necessarily have the advanced technical expertise needed to spot problems.

“We’re trusting that what they’re doing isn’t malicious, but we really can’t tell,” said one current escort....
 
...The escorts handle data that, if leaked, would have “catastrophic” effects.

Microsoft uses the escort system to handle the government’s most sensitive information that falls below “classified.” According to the government, this includes “data that involves the protection of life and financial ruin.” The “loss of confidentiality, integrity, or availability” of this information “could be expected to have a severe or catastrophic adverse effect” on operations, assets and individuals, the government has said.

Defense Department data in this category includes materials that directly support military operations.

The program could expose Pentagon data to cyberattacks.

Because the U.S.-based escorts are taking direction from foreign engineers, including those based in China, the nation’s greatest cyber adversary, it is possible that an escort could unwittingly insert malicious code into the Defense Department’s computer systems.

A former Microsoft engineer who worked on the system acknowledged this possibility. “If someone ran a script called ‘fix_servers.sh’ but it actually did something malicious, then [escorts] would have no idea,” the engineer, Matthew Erickson, told ProPublica.

Pradeep Nair, a former Microsoft vice president who said he helped develop the concept from the start, said a variety of safeguards including audit logs, the digital trail of system activity, could alert Microsoft or the government to potential problems. “Because these controls are stringent, residual risk is minimal,” Nair said.

Digital escorts present a natural opportunity for spies, experts say.

“If I were an operative, I would look at that as an avenue for extremely valuable access. We need to be very concerned about that,” said Harry Coker, who was a senior executive at the CIA and the National Security Agency. Coker, who also was national cyber director during the Biden administration, added that he and his former intelligence colleagues “would love to have had access like that.”

Chinese laws allow government officials there to collect data “as long as they’re doing something that they’ve deemed legitimate,” said Jeremy Daum, senior research fellow at the Paul Tsai China Center at Yale Law School. Microsoft’s China-based tech support for the U.S. government presents an opening for Chinese espionage, “whether it be putting someone who’s already an intelligence professional into one of those jobs, or going to the people who are in the jobs and pumping them for information,” Daum said. “It would be difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement.”...
 
Haggis says he's "looking into it", but that's pretty much moot, since Microslop said they'll stop using these "engineers":


Microsoft said it will cease using China-based computer engineering teams for work on Pentagon cloud systems and other classified systems after an investigation this week led to national security concerns at the highest levels over a program that Microsoft has used since 2016.

 
Back
Top Bottom