Readit News logoReadit News
beoberha · 2 months ago
I work in azure and this is wildly mischaracterizing the risk, though it is news to me that there are non-US nationals doing escorts for the non-airgapped government clouds.

I assume it is OK to say this: Microsoft has a “China” cloud and a non-airgapped “US Government” cloud. It is standard practice that engineers making production touches in the clouds have to be “escorted” by vendors who make sure you’re not doing anything malicious. I assume the article is implying that these vendors for the US Gov cloud may be Chinese nationals.

As Jason mentions in another comment, anything actually requiring clearance is serviced by the airgapped clouds and only folks with clearance are able to operate there.

Edit: misread the article but the third paragraph stands. The government is totally aware of where the operator boundary lies and this is still wildly mischaracterized.

apical_dendrite · 2 months ago
How does the vendor make sure you're not doing anything malicious if they don't have the skills to understand the change?

It sounds like the issue here isn't that the vendor doing the escort is a Chinese national, it's that the engineer making the change is a Chinese national in China and they're using this escort system to check a box saying that because the changes themselves are being made by US nationals, they won't send PII or passwords back to China. But fundamentally a system where an untrusted person gets a less technical person to make a change for them seems inherently extremely high-risk.

beoberha · 2 months ago
Yep, I totally read the article incorrectly. You’re spot on and honestly I’ve asked myself the same question - though less from a national security perspective and more a “what’s the point of this extra tax to mitigate this incident”
kjellsbells · a month ago
Yeah it seems like there are two issues here being conflated. The first is that non-US-persons are operating, by proxy, Azure assets that serve US Gov missions. The second is that those persons may be operating assets used in sensitive missions. Say IL4 and up.

The first is a little embarrassing for Microsoft, but a venal sin, not a mortal one. Makes them look like cheapskates offshoring work, instead of training local workers, but Ok, fine.

The second would be a mortal sin, assuming ( its not clear from the article whether) these non-US people are really operating at IL4 and up. Those assets really need US people especially at the higher impact levels. All of the above is public info described in FedRAMP standards.

throwaway667555 · a month ago
I think you mis-read the article. Chinese engineers are operating US government cloud computers by proxy. The Chinese just don't see the computer screen. A US grunt copies & pastes the Chinese's commands into the system during a Teams call.
danso · 2 months ago
> The government is totally aware of where the operator boundary lies and this is still wildly mischaracterized.

Regardless of the program’s actual risk, it doesn’t seem that the government is fully aware of the program’s very existence. The article quotes the former CIO of the Pentagon as being surprised:

> John Sherman, who was chief information officer for the Department of Defense during the Biden administration, said he was surprised and concerned to learn of ProPublica’s findings. “I probably should have known about this,” he said. He told the news organization that the situation warrants a “thorough review by DISA, Cyber Command and other stakeholders that are involved in this.”

jasonthorsness · 2 months ago
This article is trying to show it as more scary than it is. The key points are: this is systems up to secret level only and sessions are recorded and watched by an escort; the escort is not as tech savvy as the engineers performing maintenance (who are also Microsoft employees, from many countries of origin) but there are other controls too; they can’t just run unsigned code etc.

The top secret stuff isn’t using this system; it’s using cleared staff.

nonameiguess · 2 months ago
This doesn't reflect what the article says. It only includes unclassified systems, not systems up to secret. That means anything from IL2 to IL5 (secret is impact level 6). In practice, IL2 is basically open access anyway, so it's really IL4 and IL5 as those levels actually restrict access. IL5 can include controlled unclassified information, but that's the highest possible. Remote access to IL5 systems also requires either a common access card issued by the DoD or personal PKI issued by an approved CA that still has to verify your background and identity in person before issuing you a certificate pair.

Along with everyone else they interviewed apparently, I had no idea this program even existed, but there have always been similar programs for other kinds of maintenance and support personnel. The people who repair the toilets and refrigerators in a SCIF don't have clearances. They get an escort, and everyone else in the building gets a warning before anyone needing an escort comes in, telling them to put away any sensitive data and either work on something unclassified or turn off your monitors and stop working completely until these people are done and leave again.

jasonthorsness · 2 months ago
Thanks for the clarification; I was going off "While the ad said that specific technical skills were “highly preferred” and “nice to have,” the main prerequisite was possessing a valid “secret” level clearance issued by the Defense Department" from the article.
TruffleLabs · 2 months ago
Secret is still sensitive info and, if released, can cause harm or disruption.

Spying is not based on finding a single discovery of top secret information but a continuous process of pulling various pieces together. A "secret" item by itself may not cause bad things to happen but combined with other information could result in far greater damage.

g-b-r · 2 months ago
> they can’t just run unsigned code etc.

They can do everything that the escort's account can, I don't think you can know what that is.

Since it's to solve technical issues, there's a high chance that low-level access will be required, often.

bigfatkitten · a month ago
> systems up to secret level only

These aren’t SECRET systems. If they were, that would be catastrophically bad and someone would go to jail.

pjc50 · 2 months ago
Does any of this matter any more given that DOGE have total clearance bypass for uncleared staff?
throwaway667555 · a month ago
Chinese engineers are operating US government cloud computers by proxy. The Chinese just don't see the computer screen--a proxy copies & pastes their commands and reads back the results.

Deleted Comment

opello · 2 months ago
The "program" is a logistical one and not a software one in which Microsoft employs Chinese software engineers to be "overseen" by US citizens that have security clearances, but not necessarily the requisite experience for say a code review level of oversight.
fuzzfactor · 2 months ago
>not a software

Appears the program has unfixed bugs and security holes anyway :\

MisterTea · 2 months ago
I am flabbergasted that the United States government does not have a requirement that anyone who touches their systems MUST be a vetted US citizen.
bigfatkitten · a month ago
There’s no single overarching federal requirement when it comes to citizenship etc, but I would’ve assumed that ITAR requirements at the very least would’ve made this work US citizen on US soil only.
eigendreams · a month ago
Permanent residents are US Persons for ITAR purposes
ToucanLoucan · 2 months ago
I mean what does vetting even mean anymore? Our President is a convicted felon, our head of HHS thinks bad humors cause illness and vaccines cause Autism, our head of Education is dismantling her own organization with the approved sign off of the Supreme Court, of whom a solid percentage are accused sex offenders, and I could keep going with the utter circus our Government is currently.

Not only are qualifications not required they are apparently actively discouraged in favor of nepotism and connections.

davidw · 2 months ago
The guy who heads up the Defense department was (drunkenly?) texting out secret plans to a journalist.
nosioptar · 2 months ago
I knew a guy with clearance that cashed out 100% of his retirement to fly to Moscow to meet a sex worker he'd be involved with online. It never affected his clearance.

Dude would run his mouth about stuff he shouldn't tell people under normal circumstances. There's no way he didn't tell the sex worker secret stuff.

datadrivenangel · 2 months ago
So the digital escorts are basically human kvm switches to firewall things off... seems like a bad program.
charcircuit · 2 months ago
Did I miss it, but what do these "digital escorts" actually do. The article doesn't seem to actually explain it.

Edit: It's people who watch over what foriegn engineers are doing.

Deleted Comment

opello · 2 months ago
It doesn't seem amazingly well worded, but I'm assuming that "these workers" from the previous paragraph are the "digital escorts" which were described as:

> U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage

nhinck3 · 2 months ago
I'm guessing a pair of eyes over your shoulder (or virtually watching a session) as you do work near or with sensitive data or systems.
richardwhiuk · 2 months ago
It's more involved than that - the US national is the person who has control of the keyboard, the non US national views the screen share and instructs them what to do.
throwaway667555 · a month ago
Chinese engineers call the US escorts on Teams and tell them what to copy & paste into US government cloud terminals. The Chinese don't see the screen or touch the keyboard attached to the government cloud so they "don't" break the letter of the law.
drcongo · 2 months ago
There's a lot of Microsoft programs that could expose the defense department to hackers.
belter · 2 months ago
It's called Windows for a reason...
jwithington · a month ago
i don't really understand why folks are downplaying this in the comments:

some engineers who write the code for production US systems that contain controlled unclassified information live in china. the US government was unaware that this was happening because MSFT hid it from them. as a result, govt stakeholders are/were unable to assess the risk.

all MSFT ATO's should be revoked.

some of the comments point out that foreign workers will help maintain facilities overseas, but govt stakeholders are aware of this, assess the risk, and implement risk controls.

but shady M$FT hid this from govt, and that amplifies the problem!

disclaimer: am google