Microsoft says it will no longer use engineers in China for Department of Defense work:
Following a Pro Publica report that Microsoft was using engineers in China to help maintain cloud computing systems for the U.S. Department of Defense, the company said it's made changes to ensure this will no longer happen.
The existing system reportedly relied on "digital escorts" to supervise the China-based engineers. But according to Pro Publica, those escorts — U.S. citizens with security clearances — sometimes lacked the technical expertise to properly monitor the engineers.
In response to the report, Secretary of Defense Pete Hegseth wrote on X, "Foreign engineers — from any country, including of course China — should NEVER be allowed to maintain or access DoD systems."
On Friday, Microsoft's chief communications officer Frank X. Shaw responded: "In response to concerns raised earlier this week about US-supervised foreign engineers, Microsoft has made changes to our support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services."
(Score: 5, Touché) by looorg on Tuesday July 22, @11:45AM (8 children)
So they have used engineers in China (and other places? NK?) to do DoD work? So who knows how many backdoor and vulnerabilities they have installed into the system. Could they even find them now if they looked? How much information have been siphoned off. Who knows ... But they'll totally not ever do it again, pinky swear. I'm sure they feel safer already.
(Score: 3, Informative) by Anonymous Coward on Tuesday July 22, @12:38PM (1 child)
Yes. Cisco has also been found guilty of doing this (using PRC-citizen laborers) to maintain DoD networks.
Then of course there is Intel, who disclosed several vulnerabilities in their processors (specifically issues with the IME as well as the speculative execution flaws in hyperthreading about a decade ago) to Israel and the PRC and never disclosed them to the USG until after they became public. The threat with IME isn't that one can externally access (this can be blocked at layer 3) but rather that a state actor can potentially use the known flaws in the IME to replace the IME with another piece of software that rides out at a higher level.
Procurement officers are too transitory and generally too inept to hold anybody accountable, and lawmakers are even less capable of understanding the issue, and there's really only a handful of vendors who can meet the DoD computing needs, so it's a problem that will never really go away. Hence the whole "zero trust" thing in USG the past few years, although that rollout is really superficial and only at the user-facing component.
(Score: 4, Insightful) by JoeMerchant on Tuesday July 22, @01:20PM
> and there's really only a handful of vendors who can meet the DoD computing needs, so it's a problem that will never really go away.
Unless we redirect some existing military pork spending into education and development programs to build up our vendors to be capable.
(Score: 4, Interesting) by JoeMerchant on Tuesday July 22, @01:18PM
Transparency is always the answer.
In this case, it took ProPublica to call them out. DoD should be vigorously monitoring their contractors for themselves, but apparently their IT security culture is lacking basic safeguards.
I'm all for global cooperation, but military systems should be an absolute non-negotiable exception to that rule. If I were in charge there would be early retirement for the entire chain of command which allowed "non-qualified digital escorts" to even be considered as an option.
>NK?) to do DoD work?
Part of the paranoia about "remote workers" is that people in countries like NK have been successfully obtaining employment in the US via fraudulent identities. I, personally, have never had a security clearance, but I've worked "security clearance adjacent" a few times. To me, the whole point of a security clearance is that we, trusted U.S. agents, have face-to-face vetted the individual receiving the clearance. Interviewed their neighbors, old school mates, co-workers, etc. IN PERSON.
Doge being a clear anomaly, that type of security clearance should be a minimum requirement for any access to computer systems affecting national security. Any "leader" who doesn't understand that and demonstrate it in practice doesn't get my vote vs one who does.
(Score: 5, Insightful) by ikanreed on Tuesday July 22, @02:14PM (1 child)
Yeah, well, maybe, just maybe, our military has become entirely too dependent on having corporations do work for them. The army core of engineers exists for a reason, kp existed for a reason.
The government should probably maintain its own goddamn essential infrastructure.
(Score: 0) by Anonymous Coward on Tuesday July 22, @07:30PM
Wrong ideology. Come back in 20 years.
(Score: 1, Troll) by Username on Tuesday July 22, @02:45PM (2 children)
(Score: 3, Touché) by PiMuNu on Tuesday July 22, @03:17PM (1 child)
