Edit: It's people who watch over what foriegn engineers are doing.
Edit: yes it does, I just didn't read it all the way.
> A Microsoft engineer in China files an online “ticket” to take on the work.
> A U.S.-based escort picks up the ticket.
> The engineer and the escort meet on the Microsoft Teams conferencing platform.
> The engineer sends computer commands to the U.S. escort, presenting an opportunity to insert malicious code.
> The escort, who may not have advanced technical expertise, inputs the commands into the federal cloud system.
It sounds like you may have additional context or perspective, which makes me curious about the scope of "instructs." For example, I can imagine that the deployment sources of the public and Government clouds infrastructure are different, such that a bug fix on the shared base may need to be merged between these two branches. If a foreign national made the fix for the public version and then provided the expertise of resolving merge conflicts when applying it to the Government version, it presents an opportunity for subtle abuse unless the change is either further audited by the keyboard operator or another engineer before the merge result lands or is deployed.
As far at I'm aware, there isn't a separate code base.
In general, you can't share scripts / executables via this mechanism - that's done via code review and deployment.
You could get an operator to run a script in a malicious way, but it'd need pre-written to include the malicious behaviour.
Basically, stockholders get another yacht, national security gets screwed.
> U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage
Appears the program has unfixed bugs and security holes anyway :\
The top secret stuff isn’t using this system; it’s using cleared staff.
Spying is not based on finding a single discovery of top secret information but a continuous process of pulling various pieces together. A "secret" item by itself may not cause bad things to happen but combined with other information could result in far greater damage.
Along with everyone else they interviewed apparently, I had no idea this program even existed, but there have always been similar programs for other kinds of maintenance and support personnel. The people who repair the toilets and refrigerators in a SCIF don't have clearances. They get an escort, and everyone else in the building gets a warning before anyone needing an escort comes in, telling them to put away any sensitive data and either work on something unclassified or turn off your monitors and stop working completely until these people are done and leave again.
They can do everything that the escort's account can, I don't think you can know what that is.
Since it's to solve technical issues, there's a high chance that low-level access will be required, often.
These aren’t SECRET systems. If they were, that would be catastrophically bad and someone would go to jail.
I assume it is OK to say this: Microsoft has a “China” cloud and a non-airgapped “US Government” cloud. It is standard practice that engineers making production touches in the clouds have to be “escorted” by vendors who make sure you’re not doing anything malicious. I assume the article is implying that these vendors for the US Gov cloud may be Chinese nationals.
As Jason mentions in another comment, anything actually requiring clearance is serviced by the airgapped clouds and only folks with clearance are able to operate there.
Edit: misread the article but the third paragraph stands. The government is totally aware of where the operator boundary lies and this is still wildly mischaracterized.
It sounds like the issue here isn't that the vendor doing the escort is a Chinese national, it's that the engineer making the change is a Chinese national in China and they're using this escort system to check a box saying that because the changes themselves are being made by US nationals, they won't send PII or passwords back to China. But fundamentally a system where an untrusted person gets a less technical person to make a change for them seems inherently extremely high-risk.
To put it another way, if the air gap is the only thing preventing the malicious system from doing its malicious thing, it seems like "defense in depth" is working but there's still a problem to solve. That is, making the malicious system not malicious.
> anything actually requiring clearance is serviced by the airgapped clouds and only folks with clearance are able to operate there
It seems like "operate" may be doing a lot of work here.
My guess is ATO requires that only US Citizens make changes to the system. However, Microsoft did not want to hire skilled US citizens for pay reasons so they hire unskilled US citizens and get trained Chinese nationals to direct US citizens to make changes they require.
So stockholders get another yacht because GovCloud is expensive but overhead is peanuts and national security be damned.
US Government should announce that their ATO has been revoked but we don't do that.
Regardless of the program’s actual risk, it doesn’t seem that the government is fully aware of the program’s very existence. The article quotes the former CIO of the Pentagon as being surprised:
> John Sherman, who was chief information officer for the Department of Defense during the Biden administration, said he was surprised and concerned to learn of ProPublica’s findings. “I probably should have known about this,” he said. He told the news organization that the situation warrants a “thorough review by DISA, Cyber Command and other stakeholders that are involved in this.”
The first is a little embarrassing for Microsoft, but a venal sin, not a mortal one. Makes them look like cheapskates offshoring work, instead of training local workers, but Ok, fine.
The second would be a mortal sin, assuming ( its not clear from the article whether) these non-US people are really operating at IL4 and up. Those assets really need US people especially at the higher impact levels. All of the above is public info described in FedRAMP standards.
Not only are qualifications not required they are apparently actively discouraged in favor of nepotism and connections.
Dude would run his mouth about stuff he shouldn't tell people under normal circumstances. There's no way he didn't tell the sex worker secret stuff.
Worst part is I'm not really surprised.
some engineers who write the code for production US systems that contain controlled unclassified information live in china. the US government was unaware that this was happening because MSFT hid it from them. as a result, govt stakeholders are/were unable to assess the risk.
all MSFT ATO's should be revoked.
some of the comments point out that foreign workers will help maintain facilities overseas, but govt stakeholders are aware of this, assess the risk, and implement risk controls.
but shady M$FT hid this from govt, and that amplifies the problem!
disclaimer: am google
jmclnx•6mo ago
The fun of using Cloud type systems. I expect AWS, Google and maybe IBM Cloud has the same issue. Save $ now, pay lots more later.
seviu•6mo ago
Not sure if this is a debate the current administration has for the future or even if they are aware of it.
Not trying to give my opinion or deciding whether one thing is better or worse. Just genuine curiosity.
delfinom•6mo ago
Outsourcing software development is 100% intended to surpress the peasants managing to go up higher on the ladder. Many companies doing "AI layoffs" are in fact just outsourcing to the usual countries overseas even more.
dmix•6mo ago
> IBM CEO Says AI Has Replaced Hundreds of Workers but Created New Programming, Sales Jobs
(laying off mostly administrative/HR people)
https://www.wsj.com/articles/ibm-ceo-says-ai-has-replaced-hu...
> Intel plans to lay off up to a fifth of its factory workers, an enormous cutback that will have a profound effect on one of the chipmaker’s core businesses.
https://www.oregonlive.com/silicon-forest/2025/06/intel-will...
Microsoft laid off mostly gaming from failed acquisitions + sales/marketing (one of which I know personally)