Microsoft Used China-Based Support for Multiple U.S. Agencies, Potentially Exposing Sensitive Data

Last week, Microsoft announced that it would no longer use China-based engineering teams to support the Defense Department’s cloud computing systems, following ProPublica’s investigation of the practice, which cybersecurity experts said could expose the government to hacking and espionage.

But it turns out the Pentagon was not the only part of the government facing such a threat. For years, Microsoft has also used its global workforce, including China-based personnel, to maintain the cloud systems of other federal departments, including parts of Justice, Treasury and Commerce, ProPublica has found.

This work has taken place in what’s known as the Government Community Cloud, which is intended for information that is not classified but is nonetheless sensitive. The Federal Risk and Authorization Management Program, the U.S. government’s cloud accreditation organization, has approved GCC to handle “moderate” impact information “where the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals.”

The Justice Department’s Antitrust Division has used GCC to support its criminal and civil investigation and litigation functions, according to a 2022 report. Parts of the Environmental Protection Agency and the Department of Education have also used GCC.

Microsoft says its foreign engineers working in GCC have been overseen by U.S.-based personnel known as “digital escorts,” similar to the system it had in place at the Defense Department.

Nevertheless, cybersecurity experts told ProPublica that foreign support for GCC presents an opportunity for spying and sabotage. “There’s a misconception that, if government data isn’t classified, no harm can come of its distribution,” said Rex Booth, a former federal cybersecurity official who now is chief information security officer of the tech company SailPoint.

“With so much data stored in cloud services — and the power of AI to analyze it quickly — even unclassified data can reveal insights that could harm U.S. interests,” he said.

Harry Coker, who was a senior executive at the CIA and the National Security Agency, said foreign intelligence agencies could leverage information gleaned from GCC systems to “swim upstream” to more sensitive or even classified ones. “It is an opportunity that I can’t imagine an intelligence service not pursuing,” he said.

The Office of the Director of National Intelligence has deemed China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.” Laws there grant the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement.

Microsoft declined interview requests for this story. In response to questions, the tech giant issued a statement that suggested it would be discontinuing its use of China-based support for GCC, as it recently did for the Defense Department’s cloud systems.

“Microsoft took steps last week to enhance the security of our DoD Government cloud offerings. Going forward, we are taking similar steps for all our government customers who use Government Community Cloud to further ensure the security of their data,” the statement said. A spokesperson declined to elaborate on what those steps are.

The company also said that over the next month it “will conduct a review to assess whether additional measures are needed.”

The federal departments and agencies that ProPublica found to be using GCC did not respond to requests for comment.

The latest revelations about Microsoft’s use of its Chinese workforce to service the U.S. government — and the company’s swift response — are likely to fuel a rapidly developing firestorm in Washington, where federal lawmakers and the Trump administration are questioning the tech giant’s cybersecurity practices and trying to contain any potential national security fallout. “Foreign engineers — from any country, including of course China — should NEVER be allowed to maintain or access DoD systems,” Defense Secretary Pete Hegseth wrote in a post on X last Friday.

Last week, ProPublica revealed that Microsoft has for a decade relied on foreign workers — including those based in China — to maintain the Defense Department’s computer systems, with oversight coming from U.S.-based digital escorts. But those escorts, we found, often don’t have the advanced technical expertise to police foreign counterparts with far more advanced skills, leaving highly sensitive information vulnerable. In response to the reporting, Hegseth launched a review of the practice.

ProPublica found that Microsoft developed the escort arrangement to satisfy Defense Department officials who were concerned about the company’s foreign employees, given the department’s citizenship requirements for people handling sensitive data. Microsoft went on to win federal cloud computing business and has said in earnings reports that it receives “substantial revenue from government contracts.”

While Microsoft has said it will stop using China-based tech support for the Defense Department, it declined to answer questions about what would replace it, including whether cloud support would come from engineers based outside the U.S. The company also declined to say whether it would continue to use digital escorts.

Microsoft confirmed to ProPublica this week that a similar escorting arrangement had been used in GCC — a dynamic that surprised some former government officials and cybersecurity experts. “In an increasingly complex digital world, consumers of cloud products deserve to know how their data is handled and by whom,” Booth said. “The cybersecurity industry depends on clarity.”

Microsoft said it disclosed details of the GCC escort arrangement in documentation submitted to the federal government as part of the FedRAMP cloud accreditation process. The company declined to provide the documents to ProPublica, citing the potential security risk of publicly disclosing them, and also declined to say whether the China-based location of its support personnel was specifically mentioned in them.

ProPublica contacted other major cloud services providers to the federal government to ask whether they use China-based support. A spokesperson for Amazon Web Services said in a statement that “AWS does not use personnel in China to support federal contracts.” A Google spokesperson said in a statement that “Google Public Sector does not have a Digital Escort program. Instead, its sensitive systems are supported by fully trained personnel who meet the U.S. government’s location, citizenship and security clearance requirements.” Oracle said it “does not use any Chinese support for U.S. federal customers.”