Pentagon Issues ‘Letter of Concern’ to Microsoft Over China-Based Engineer Access to Sensitive Systems

The Department of Defense has formally warned Microsoft about a “breach of trust” stemming from the tech giant’s use of China-based engineers to maintain critical goverment computer systems, signaling a notable escalation in scrutiny over national security risks. Defense Secretary Pete Hegseth announced this week that the Pentagon is also launching an examination to determine if national security has been compromised by the arrangement.

The actions follow a recent investigative report by ProPublica that revealed Microsoft’s “digital escort” system,a workaround designed to allow foreign engineers – including those in China – to work on sensitive U.S. systems under the supervision of U.S. personnel with security clearances. The report highlighted concerns that these “escorts” could be circumvented, potentially granting Chinese personnel unauthorized access to sensitive data and systems.The letter of concern, if acted upon, could trigger the termination of Microsoft’s lucrative defense contracts. According to reports, Microsoft receives “significant revenue from government contracts.” The Defense Department has not publicly released the letter and declined to provide a copy to ProPublica.

Security experts have consistently warned about the inherent risks of allowing personnel based in China to access and maintain U.S. government computer systems. Chinese law grants broad authority to government officials to collect data, and analysts suggest it would be exceedingly arduous for any Chinese citizen or company to resist a direct request for information from security forces or law enforcement.

The Pentagon’s investigation will specifically focus on Microsoft’s China-based employees and will attempt to ascertain whether any malicious code or vulnerabilities were intentionally introduced into the systems. Hegseth stated the probe will “help us determine the impact of this digital escort workaround,” including whether “they put anything in the code that we didn’t know about.” A third-party audit of the digital escort program has also been mandated, tho the auditing firm remains unnamed.

ProPublica’s reporting revealed that Microsoft began utilizing digital escorts approximately a decade ago, afterward securing billions of dollars in federal cloud computing contracts across the Obama, Trump, and Biden administrations. The arrangement reportedly went unnoticed by Pentagon officials for years. the investigation also found that Microsoft failed to disclose crucial details of the program in its security plans submitted to the Defense Department, a point the company has declined to address.

“We expect vendors doing business with the Department of Defense to put U.S. national security ahead of profit maximization,” Hegseth emphasized in his proclamation.

In response to the ProPublica investigation, Microsoft announced last month that it had ceased using China-based engineers for Defense Department cloud computing systems. In a statement, the company affirmed its commitment to collaboration with the U.S. government, stating it “will continue to collaborate with the US government to ensure we are meeting their expectations.” The company further added, “We remain committed to providing the most secure services possible to the US government, including working with our national security partners to evaluate and adjust our security protocols as needed.”

While Microsoft has halted the use of China-based engineers for the Defense Department, the company maintains operations in India, the European Union, and other global locations, with engineers in those regions also contributing to the maintenance of Defense Department cloud systems. Hegseth initially stated on X that “foreign engineers – from any country, including of course China – should NEVER be allowed to maintain or access DoD systems.” However, the Defense Department later indicated that the continued use of foreign-based engineers with digital escorts “may be deemed an acceptable risk,” depending on the “country of origin of the foreign national” and other factors.

Hegseth did not specify whether the digital escort program would be discontinued or whether Microsoft’s reliance on foreign nationals for other Defense Department systems would be reviewed. The department has not responded to further inquiries from ProPublica regarding the scope of the ongoing investigations.

ProPublica’s reporting also revealed that Microsoft employed China-based engineers to maintain federal cloud computing systems for other departments, including Justice, Treasury, and Commerce.Microsoft has indicated it will discontinue the use of China-based engineers for these departments as well. The Defense Department is reportedly coordinating with other federal agencies to ensure the protection of all U.S. networks.