Chinese coders barred from Pentagon cloud systems

Defense Secretary Pete Hegseth said on Wednesday that the Pentagon will no longer allow Chinese nationals to work as coders on Department of Defense (DoD) cloud systems, ending a controversial practice that critics warned carried security risks.

For years, a programme loosely modelled on Microsoft’s internal arrangements let foreign nationals, including developers in China, contribute code to DoD systems under the supervision of US contractors. The idea was that “digital escorts” would monitor their charges closely.

Hegseth said the arrangement never should have been permitted. “I mean, if you’re thinking America first and common sense, this doesn’t pass either of those tests,” he said in a post on social media. “So the use of Chinese nationals to service Department of Defense cloud environments, it’s over.”

He called the programme a “vulnerability” and said an immediate review was launched once he learned about it. “It blows my mind that I’m even saying these things in such common sense that we ever allowed it to happen,” Hegseth added. “We expect vendors doing business with the Department of Defense to put US national security ahead of profit maximisation.”

Microsoft’s role and new audits

Microsoft, one of the Pentagon’s most important cloud contractors, is conducting an audit at no cost to taxpayers to look for vulnerabilities linked to the programme. The company holds several major contracts with the Defense Department, including the $9 billion Joint Warfighting Cloud Capability led by the Defense Information Systems Agency.

In a statement to The Hill, Microsoft said: “Microsoft has terminated the use of any China-based engineering teams for DoD cloud systems and we will continue to collaborate with the US Government to ensure we are meeting their expectations. We remain committed to providing the most secure services possible to the US government, including working with our national security partners to evaluate and adjust our security protocols as needed.”

Hegseth said Microsoft will not be the only company under scrutiny. “All Department of Defense software vendors will identify and terminate any Chinese involvement in DoD systems,” he said.

Questions over oversight

The Defense Department has suggested it was unaware that Microsoft was using the escort programme. “Literally no one seems to know anything about this, so I don’t know where to go from here,” said Deven King, spokesperson for the Defense Information Systems Agency, in comments to ProPublica earlier this summer.

Others familiar with the practice questioned its effectiveness. One digital escort who spoke to ProPublica on condition of anonymity said there were no strong policies in place to prevent abuse. “We’re trusting that what they’re doing isn’t malicious, but we really can’t tell,” the source said.

Concerns over the practice intensified after ProPublica reported on it in July. Just three days later, Microsoft spokesperson Frank Shaw said on X that the company had changed its programmes with the Pentagon and would no longer use engineers based in China to provide technical support.

Hegseth, Pentagon launch probes into coder risks

Hegseth said two separate probes are now running in parallel: Microsoft’s internal audit and an independent review by the Pentagon. Both will look for malware or backdoors that may have been introduced through the escort program.

“We’ve issued a formal letter of concern to Microsoft documenting this breach of trust, and we’re requiring a third-party audit of Microsoft’s digital escort program, including the code and the submissions by Chinese nationals,” Hegseth said. “I’m also tasking the Department of Defense experts with a separate investigation of the digital escort programme and the Chinese Microsoft employees that were involved in it.”

The Defense Secretary said the investigations aim to answer a central question: “Did they put anything in the code that we didn’t know about? We’re going to find out.”

The outcome could shape how the Pentagon approaches its reliance on private technology providers. For now, Hegseth says his order ensures that foreign engineers from China will have no role in maintaining the Defense Department’s cloud systems.

(Photo by Tabrez Syed)

See also: US military cloud no longer backed by Microsoft’s China team

Want to learn more about Cloud Computing from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events, click here for more information.

CloudTech News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.