For almost a decade, Microsoft has used engineers in China to help maintain high -level computer security systems. The PROPBLICA investigation reveals As a model based on “digital accompaniment” to control foreign technical support, it can leave some of the country’s most sensitive data vulnerable to hacking from the leading cyber enemy.
Here are the key trips from this report:
Only US citizens with security are allowed to access the most sensitive data of the Ministry of Defense.
From 2011, cloud computing companies that wanted to sell their US government services had to establish how they guarantee that federal staff will have the necessary “access permits” and check. In addition, the Ministry of Defense demands that people resort to sensitive data that are US citizens or permanent residents.
This has presented a question for Microsoft, which relies on a great global labor with significant operations in India, China and the European Union.
Microsoft has created its low “digital support” program to bypass this ban.
Microsoft’s foreign labor force is not allowed to access sensitive cloud systems directly, so the technological giant hired American “digital support”, which had security registration that allowed them to access confidential information to accept the direction from foreign experts. Engineers can briefly describe the task you need to complete – for example, upgrade firewall, upgrade to fix the error or review magazines to eliminate problems. The escort then copies and paste the engineer’s commands into the federal cloud.
The problem revealed by PROPUBLICA is that digital accompanying do not necessarily have the best technical examination required for the image of problems.
“We trust what they do is not malicious, but we really can’t say,” said one accompaniment.
Escort copes with data that will have “catastrophic” effects when leakage.
Microsoft uses an accompaniment system to process the most sensitive government information that lowers below “classified”. According to the government, this includes “data that includes life protection and financial destruction.” “The loss of confidentiality, integrity or availability of” this information “can be expected to be a serious or catastrophic adverse effect” on surgery, assets and individuals, the government said.
The Defense Department data in this category include materials that directly support the hostilities.
The program can expose the Pentagon data to the cyberattack.
As the accompanying in the United States takes a direction from foreign engineers, including China, the country’s largest cyber propo, it is possible that the escort can unwittingly insert the malicious code into the computer defense systems.
Former Microsoft engineer who worked on the system has recognized this opportunity. “If anyone managed the script called” Fix_servers.sh “, but in fact it did something malicious, then (the supporters) would not imagine,” said engineer Matthew Erickson.
Pradeep Nair, former Vice President Microsoft, who said he had helped develop this concept from the beginning, stated that various guarantees, including audit magazines, digital trace of system activity, could warn Microsoft or the government about possible issues. “Because this control is strict, the residual risk is minimal,” Naire said.
Experts say digital accompanies provide a natural opportunity for spies.
“If I were prompt, I would look at it as a prospectus for extremely valuable access. We must be very concerned,” said Harry Cocker, who was the CIA top head and the National Security Agency. Cocker, who was also a national director during the Biden administration, added that he and his former intelligence colleagues “would like to have such access”.
Chinese laws allow government officials to collect data “While they are doing what they have considered legal,” said Jeremy Daum, senior researcher at China’s Center Paul Tai at Yale Law School. Chinese Microsoft Technical Support for the US Government presents the opening for Chinese espionage, “let it invest who is already a specialist in intelligence in one of these jobs or goes to people who work at work and pump them for information,” Daum said. “It would be difficult for any citizen or company to resist a direct request for security or law enforcement.”
Microsoft says the program is approved by the government.
Microsoft said in his statement that his staff and contractors are working in this way, “according to the US government’s requirements and processes.”
The company’s global employees “do not have direct access to customer data and customer systems,” the statement said. Escort “With the help of appropriate gaps and training provide direct support. These staff conduct specific training to protect the secret data, prevent damage and use specific commands/management items in the environment.”
Insight Global – a contractor that provides digital accompaniment by Microsoft – stated that “evaluates the technical capabilities of each resource throughout the interview process to ensure that they have technical skills” to work and provide training.
Microsoft states that the government has revealed the details of the escort program. Former Pentagon officials said they had never heard of it.
Microsoft told PROPBLICA that described the model of accompaniment in the documents provided by the government as part of the processes of authorization of the suppliers. Former defense and intelligence officials said in an interview that they had never heard of digital accompanies. Even the IT -Agency of the Defense Department did not know this until Proopublica’s comments.
“I probably had to know about it,” said John Sherman, who was the chief information director of the Ministry of Defense during the Biden administration. He said the system is a major security risk for the department and calls for “careful review (defense information systems agency), cyber -command and other stakeholders involved in this.”
The Disp said: “Experts under the supervision of the accompaniment do not have direct, practical access to state systems; and rather offer recommendations and recommendations to authorized administrators who perform tasks.”
The wound was a warning about risk.
For many years, several people have caused concern about the escort strategy, including as long as it was in development. The former Microsoft employee, who participated in the company’s cybersecurity strategy, told the head that they opposed this concept, considering it as too risky in terms of security.
In about 2016, Microsoft was contacted by Lockheed Martin to hire an accompaniment. The project manager states that they told their colleague at Microsoft that they are concerned, that the accompanying will not have the “right eyes” for work, given a relatively low salary.
Microsoft did not answer questions on these points.
Other cloud clouds would not say if they also use the accompaniment.
It is unclear whether other major cloud services providers are also using digital support in the federal government. Amazon Web Services and Google Cloud refused to comment on the entry for this article. Oracle did not respond to comment requests.
