...The escorts handle data that, if leaked, would have “catastrophic” effects.
Microsoft uses the escort system to handle the government’s most sensitive information that falls below “classified.” According to the government, this includes “data that involves the protection of life and financial ruin.” The “loss of confidentiality, integrity, or availability” of this information “could be expected to have a severe or catastrophic adverse effect” on operations, assets and individuals, the government has said.
Defense Department data in this category includes materials that directly support military operations.
The program could expose Pentagon data to cyberattacks.
Because the U.S.-based escorts are taking direction from foreign engineers, including those based in China, the nation’s greatest cyber adversary, it is possible that an escort could unwittingly insert malicious code into the Defense Department’s computer systems.
A former Microsoft engineer who worked on the system acknowledged this possibility. “If someone ran a script called ‘fix_servers.sh’ but it actually did something malicious, then [escorts] would have no idea,” the engineer, Matthew Erickson, told ProPublica.
Pradeep Nair, a former Microsoft vice president who said he helped develop the concept from the start, said a variety of safeguards including audit logs, the digital trail of system activity, could alert Microsoft or the government to potential problems. “Because these controls are stringent, residual risk is minimal,” Nair said.
Digital escorts present a natural opportunity for spies, experts say.
“If I were an operative, I would look at that as an avenue for extremely valuable access. We need to be very concerned about that,” said Harry Coker, who was a senior executive at the CIA and the National Security Agency. Coker, who also was national cyber director during the Biden administration, added that he and his former intelligence colleagues “would love to have had access like that.”
Chinese laws allow government officials there to collect data “as long as they’re doing something that they’ve deemed legitimate,” said Jeremy Daum, senior research fellow at the Paul Tsai China Center at Yale Law School. Microsoft’s China-based tech support for the U.S. government presents an opening for Chinese espionage, “whether it be putting someone who’s already an intelligence professional into one of those jobs, or going to the people who are in the jobs and pumping them for information,” Daum said. “It would be difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement.”...