Microsoft to stop using China-based teams to support Department of Defense

Last week, Microsoft announced that it would no longer use China-based engineering teams to support the Defense Department’s cloud computing systems, following ProPublica’s investigation of the practice, which cybersecurity experts said could expose the government to hacking and espionage.

But it turns out the Pentagon was not the only part of the government facing such a threat. For years, Microsoft has also used its global workforce, including China-based personnel, to maintain the cloud systems of other federal departments, including parts of Justice, Treasury and Commerce, ProPublica has found.

This work has taken place in what’s known as the Government Community Cloud, which is intended for information that is not classified but is nonetheless sensitive. The Federal Risk and Authorization Management Program, the US government’s cloud accreditation organization, has approved GCC to handle “moderate” impact information “where the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals.”

The Justice Department’s Antitrust Division has used GCC to support its criminal and civil investigation and litigation functions, according to a 2022 report. Parts of the Environmental Protection Agency and the Department of Education have also used GCC.

Microsoft says its foreign engineers working in GCC have been overseen by US-based personnel known as “digital escorts,” similar to the system it had in place at the Defense Department.

Nevertheless, cybersecurity experts told ProPublica that foreign support for GCC presents an opportunity for spying and sabotage. “There’s a misconception that, if government data isn’t classified, no harm can come of its distribution,” said Rex Booth, a former federal cybersecurity official who now is chief information security officer of the tech company SailPoint.

“With so much data stored in cloud services—and the power of AI to analyze it quickly—even unclassified data can reveal insights that could harm US interests,” he said.