The Pentagon issued a “letter of concern” to Microsoft documenting a “breach of trust” over the company’s use of China-based engineers to maintain sensitive government computer systems, Defense Secretary Pete Hegseth announced this week. At the same time, the Defense Department is opening an investigation into whether any of those employees have compromised national security.
The actions came in response to a recent ProPublica investigation that exposed Microsoft’s “digital escort” system, in which U.S. personnel with security clearances supervise foreign engineers, including those in China. ProPublica found that the escorts often lack the expertise needed to effectively supervise engineers with far more advanced technical skills.
The tech giant developed the arrangement as a work-around to a Defense Department requirement that people handling sensitive data be U.S. citizens or permanent residents.
“The program was designed to comply with contracting rules, but it exposed the department to unacceptable risk,” Hegseth said in a video announcement posted on X. “If you’re thinking America first and common sense, this doesn’t pass either of those tests.”
The letter serves as a warning to Microsoft, which has said in earnings reports that it receives “substantial revenue from government contracts.” It is less serious than a “cure notice,” which could lead to termination of Microsoft contracts if problems are not fixed. The department did not release the letter publicly, and it did not reply to ProPublica’s request for a copy of it.
Experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government computer systems poses major security risks. Laws in China grant the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement.
Hegseth said the newly opened Pentagon investigation into the digital escort program would focus on Microsoft’s China-based employees. The probe will “help us determine the impact of this digital escort workaround,” he said, including whether “they put anything in the code that we didn’t know about.”
Hegseth said in his video announcement that the department is also requiring a new third-party audit of Microsoft’s digital escort program. It is unclear who will conduct that audit.
Microsoft started using digital escorts about a decade ago, ProPublica found, and went on to win federal cloud computing business worth billions of dollars. Through the Obama, Trump and Biden administrations, the system escaped the notice of Pentagon officials. ProPublica reported last week that Microsoft failed to disclose key details of the arrangement in the security plans it submitted to the Defense Department. The company has declined to comment on those omissions.
“We expect vendors doing business with the Department of Defense to put U.S. national security ahead of profit maximization,” Hegseth said in the video.
In the wake of ProPublica’s reporting, Microsoft announced last month that it had stopped using China-based engineers to support Defense Department cloud computing systems. In a statement provided for this story, the company said that it “will continue to collaborate with the US Government to ensure we are meeting their expectations.”
“We remain committed to providing the most secure services possible to the US government, including working with our national security partners to evaluate and adjust our security protocols as needed,” the company said in the statement.
In addition to China, Microsoft has operations in India, the European Union and elsewhere across the globe, and engineers in those places also work on Defense Department cloud maintenance.
Last month, Hegseth said on X that “foreign engineers — from any country, including of course China — should NEVER be allowed to maintain or access DoD systems.” But last week, in response to ProPublica’s questions, the Defense Department left the door open to the continued use of foreign-based engineers with digital escorts, saying that it “may be deemed an acceptable risk,” depending on factors that include “the country of origin of the foreign national” being escorted.
In his announcement, Hegseth did not mention whether the escort program would continue or say whether Microsoft’s reliance on other foreign nationals to maintain the Defense Department’s computer systems would also be reviewed. The department did not respond to questions from ProPublica seeking additional information about the new investigations.
ProPublica reported last month that Microsoft has also relied on its China-based employees to maintain federal cloud computing systems beyond the Defense Department, including those of the departments of Justice, Treasury and Commerce. In response to the reporting, Microsoft has suggested that it would also discontinue the use of China-based engineers for those departments.
In this week’s announcement, Hegseth said the Defense Department was working “with our partners in the rest of the federal government to ensure that all U.S. networks are protected.”
