I work in azure and this is wildly mischaracterizing the risk, though it is news to me that there are non-US nationals doing escorts for the non-airgapped government clouds.
I assume it is OK to say this: Microsoft has a “China” cloud and a non-airgapped “US Government” cloud. It is standard practice that engineers making production touches in the clouds have to be “escorted” by vendors who make sure you’re not doing anything malicious. I assume the article is implying that these vendors for the US Gov cloud may be Chinese nationals.
As Jason mentions in another comment, anything actually requiring clearance is serviced by the airgapped clouds and only folks with clearance are able to operate there.
Edit: misread the article but the third paragraph stands. The government is totally aware of where the operator boundary lies and this is still wildly mischaracterized.
How does the vendor make sure you're not doing anything malicious if they don't have the skills to understand the change?
It sounds like the issue here isn't that the vendor doing the escort is a Chinese national, it's that the engineer making the change is a Chinese national in China and they're using this escort system to check a box saying that because the changes themselves are being made by US nationals, they won't send PII or passwords back to China. But fundamentally a system where an untrusted person gets a less technical person to make a change for them seems inherently extremely high-risk.
Yep, I totally read the article incorrectly. You’re spot on and honestly I’ve asked myself the same question - though less from a national security perspective and more a “what’s the point of this extra tax to mitigate this incident”
Yeah it seems like there are two issues here being conflated. The first is that non-US-persons are operating, by proxy, Azure assets that serve US Gov missions. The second is that those persons may be operating assets used in sensitive missions. Say IL4 and up.
The first is a little embarrassing for Microsoft, but a venal sin, not a mortal one. Makes them look like cheapskates offshoring work, instead of training local workers, but Ok, fine.
The second would be a mortal sin, assuming ( its not clear from the article whether) these non-US people are really operating at IL4 and up. Those assets really need US people especially at the higher impact levels. All of the above is public info described in FedRAMP standards.
I think you mis-read the article. Chinese engineers are operating US government cloud computers by proxy. The Chinese just don't see the computer screen. A US grunt copies & pastes the Chinese's commands into the system during a Teams call.
> The government is totally aware of where the operator boundary lies and this is still wildly mischaracterized.
Regardless of the program’s actual risk, it doesn’t seem that the government is fully aware of the program’s very existence. The article quotes the former CIO of the Pentagon as being surprised:
> John Sherman, who was chief information officer for the Department of Defense during the Biden administration, said he was surprised and concerned to learn of ProPublica’s findings. “I probably should have known about this,” he said. He told the news organization that the situation warrants a “thorough review by DISA, Cyber Command and other stakeholders that are involved in this.”
This article is trying to show it as more scary than it is. The key points are: this is systems up to secret level only and sessions are recorded and watched by an escort; the escort is not as tech savvy as the engineers performing maintenance (who are also Microsoft employees, from many countries of origin) but there are other controls too; they can’t just run unsigned code etc.
The top secret stuff isn’t using this system; it’s using cleared staff.
This doesn't reflect what the article says. It only includes unclassified systems, not systems up to secret. That means anything from IL2 to IL5 (secret is impact level 6). In practice, IL2 is basically open access anyway, so it's really IL4 and IL5 as those levels actually restrict access. IL5 can include controlled unclassified information, but that's the highest possible. Remote access to IL5 systems also requires either a common access card issued by the DoD or personal PKI issued by an approved CA that still has to verify your background and identity in person before issuing you a certificate pair.
Along with everyone else they interviewed apparently, I had no idea this program even existed, but there have always been similar programs for other kinds of maintenance and support personnel. The people who repair the toilets and refrigerators in a SCIF don't have clearances. They get an escort, and everyone else in the building gets a warning before anyone needing an escort comes in, telling them to put away any sensitive data and either work on something unclassified or turn off your monitors and stop working completely until these people are done and leave again.
Thanks for the clarification; I was going off "While the ad said that specific technical skills were “highly preferred” and “nice to have,” the main prerequisite was possessing a valid “secret” level clearance issued by the Defense Department" from the article.
Secret is still sensitive info and, if released, can cause harm or disruption.
Spying is not based on finding a single discovery of top secret information but a continuous process of pulling various pieces together. A "secret" item by itself may not cause bad things to happen but combined with other information could result in far greater damage.
Chinese engineers are operating US government cloud computers by proxy. The Chinese just don't see the computer screen--a proxy copies & pastes their commands and reads back the results.
The "program" is a logistical one and not a software one in which Microsoft employs Chinese software engineers to be "overseen" by US citizens that have security clearances, but not necessarily the requisite experience for say a code review level of oversight.
There’s no single overarching federal requirement when it comes to citizenship etc, but I would’ve assumed that ITAR requirements at the very least would’ve made this work US citizen on US soil only.
I mean what does vetting even mean anymore? Our President is a convicted felon, our head of HHS thinks bad humors cause illness and vaccines cause Autism, our head of Education is dismantling her own organization with the approved sign off of the Supreme Court, of whom a solid percentage are accused sex offenders, and I could keep going with the utter circus our Government is currently.
Not only are qualifications not required they are apparently actively discouraged in favor of nepotism and connections.
I knew a guy with clearance that cashed out 100% of his retirement to fly to Moscow to meet a sex worker he'd be involved with online. It never affected his clearance.
Dude would run his mouth about stuff he shouldn't tell people under normal circumstances. There's no way he didn't tell the sex worker secret stuff.
It doesn't seem amazingly well worded, but I'm assuming that "these workers" from the previous paragraph are the "digital escorts" which were described as:
> U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage
It's more involved than that - the US national is the person who has control of the keyboard, the non US national views the screen share and instructs them what to do.
Chinese engineers call the US escorts on Teams and tell them what to copy & paste into US government cloud terminals. The Chinese don't see the screen or touch the keyboard attached to the government cloud so they "don't" break the letter of the law.
i don't really understand why folks are downplaying this in the comments:
some engineers who write the code for production US systems that contain controlled unclassified information live in china. the US government was unaware that this was happening because MSFT hid it from them. as a result, govt stakeholders are/were unable to assess the risk.
all MSFT ATO's should be revoked.
some of the comments point out that foreign workers will help maintain facilities overseas, but govt stakeholders are aware of this, assess the risk, and implement risk controls.
but shady M$FT hid this from govt, and that amplifies the problem!
I assume it is OK to say this: Microsoft has a “China” cloud and a non-airgapped “US Government” cloud. It is standard practice that engineers making production touches in the clouds have to be “escorted” by vendors who make sure you’re not doing anything malicious. I assume the article is implying that these vendors for the US Gov cloud may be Chinese nationals.
As Jason mentions in another comment, anything actually requiring clearance is serviced by the airgapped clouds and only folks with clearance are able to operate there.
Edit: misread the article but the third paragraph stands. The government is totally aware of where the operator boundary lies and this is still wildly mischaracterized.
It sounds like the issue here isn't that the vendor doing the escort is a Chinese national, it's that the engineer making the change is a Chinese national in China and they're using this escort system to check a box saying that because the changes themselves are being made by US nationals, they won't send PII or passwords back to China. But fundamentally a system where an untrusted person gets a less technical person to make a change for them seems inherently extremely high-risk.
The first is a little embarrassing for Microsoft, but a venal sin, not a mortal one. Makes them look like cheapskates offshoring work, instead of training local workers, but Ok, fine.
The second would be a mortal sin, assuming ( its not clear from the article whether) these non-US people are really operating at IL4 and up. Those assets really need US people especially at the higher impact levels. All of the above is public info described in FedRAMP standards.
Regardless of the program’s actual risk, it doesn’t seem that the government is fully aware of the program’s very existence. The article quotes the former CIO of the Pentagon as being surprised:
> John Sherman, who was chief information officer for the Department of Defense during the Biden administration, said he was surprised and concerned to learn of ProPublica’s findings. “I probably should have known about this,” he said. He told the news organization that the situation warrants a “thorough review by DISA, Cyber Command and other stakeholders that are involved in this.”
The top secret stuff isn’t using this system; it’s using cleared staff.
Along with everyone else they interviewed apparently, I had no idea this program even existed, but there have always been similar programs for other kinds of maintenance and support personnel. The people who repair the toilets and refrigerators in a SCIF don't have clearances. They get an escort, and everyone else in the building gets a warning before anyone needing an escort comes in, telling them to put away any sensitive data and either work on something unclassified or turn off your monitors and stop working completely until these people are done and leave again.
Spying is not based on finding a single discovery of top secret information but a continuous process of pulling various pieces together. A "secret" item by itself may not cause bad things to happen but combined with other information could result in far greater damage.
They can do everything that the escort's account can, I don't think you can know what that is.
Since it's to solve technical issues, there's a high chance that low-level access will be required, often.
These aren’t SECRET systems. If they were, that would be catastrophically bad and someone would go to jail.
Deleted Comment
Appears the program has unfixed bugs and security holes anyway :\
Not only are qualifications not required they are apparently actively discouraged in favor of nepotism and connections.
Dude would run his mouth about stuff he shouldn't tell people under normal circumstances. There's no way he didn't tell the sex worker secret stuff.
Edit: It's people who watch over what foriegn engineers are doing.
Deleted Comment
> U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage
some engineers who write the code for production US systems that contain controlled unclassified information live in china. the US government was unaware that this was happening because MSFT hid it from them. as a result, govt stakeholders are/were unable to assess the risk.
all MSFT ATO's should be revoked.
some of the comments point out that foreign workers will help maintain facilities overseas, but govt stakeholders are aware of this, assess the risk, and implement risk controls.
but shady M$FT hid this from govt, and that amplifies the problem!
disclaimer: am google