Last week, US Secretary of Defense Pete Hegseth used X to announce that the Department of Defense was stamping out Microsoft’s use of Chinese coders in federal cloud environments. His very public indictment of Microsoft’s practices comes after years of US federal departments apparently being exposed to Chinese cyberattacks and security breaches by the tech giant’s use of offshored support engineers.
In mid-July, ProPublica revealed that, under a Department of Defense approved mechanism called ‘digital escorts’, Microsoft used Chinese contractors to support the department’s computer systems for almost a decade. During this time, scripts, code and configuration changes from these administrators and engineers may have been introduced without further review. Unsurprisingly, this sparked immediate concern within the US federal government, alongside a flurry of damning media reports.
ProPublica later uncovered that the practice of outsourcing support to employees around the world, including China, by Microsoft was not in fact limited to the DoD but was widespread across the Microsoft-supported US Government Community Cloud (GCC). Whilst less serious than the DoD issue, it was nonetheless clear that this practice could introduce risks to US government entities with low to moderate security requirements but still handling massive volumes of US citizen and sensitive information. US commentators in those articles quite correctly condemned the practice and explained how offshore support from unfriendly countries poses a serious risk to US interests.
After a period of investigation and no doubt some serious discussions between the US Government and Microsoft, Secretary of Defence Pete Hegseth has now determined the US government’s response and actions. This includes an immediate review of the practice and all those involved in it; full code reviews of the environment and its configurations; and a new broad mandate of zero Chinese involvement extending over the wider supply chain to all Federal systems.
However, these reviews will take years and likely cost tens of millions of dollars – a cost that Hegseth claims will not be borne by the US taxpayer. In the meantime, the DoD has to come to terms with a new and ongoing risk: namely, that they cannot trust their systems are fully under their control and free from residual Chinese interlopers.
Microsoft, China and data centres gaps
This is far from an acceptable position whilst relations between the two countries remain fractious. An exact parallel situation for the DoD digital escort system does not appear to exist in the UK or Europe. However, following the UK government’s agreement to spend £9bn on Microsoft services over the next five years and the widespread use of Microsoft systems within every level of government, we would be wise to ask the question: in using Microsoft’s cloud platforms, could British companies and public institutions be exposing themselves to similar risks?
Microsoft’s list of third-party sub-processor countries of operation are presumably considered trustworthy by their users, despite not being solely limited to the UK and Europe. Even so, the trust held between the UK and other countries can vary and whilst in general offshoring terms these relationships might be considered satisfactory, for some types of data sharing, they could introduce unacceptable risks or even end up becoming legally restricted.
The Microsoft list also expanded to 18 with the addition of South Korea (a UK/EU GDPR adequate country) in June of this year, showing the need to continuously review and re-assess the places to which Microsoft may send or expose your data.
Microsoft also identifies a larger pool of countries on the same pages in which it operates data centres: 34 in total, with 14 of those deemed non-adequate for UK/EU GDPR purposes, and some of them are definitely not considered 100% UK-friendly. Included among this list is their Chinese data centre, operated on their behalf and notionally at arm’s length by 21Vianet.
Microsoft claims these Chinese data centres are physically separated from the rest of their public cloud, but the company’s own web pages nonetheless advise customers on how to bridge these gaps, meaning cloud linkage is certainly possible at a local tenant level through simple re-configurations and use of Microsoft’s own networks or VPNs.
When two air-gapped platforms can be so simply bridged, it becomes hard to claim they are still assuredly separate and inevitably raises the issue of how much we can trust the security posture of their global public cloud upon which so much of our UK critical infrastructure now depends.
Whilst Google, AWS and Oracle all gave ProPublica clear statements about not providing any form of US government support from China, and don’t list China as either a processing or support location, the position with Microsoft absolutely warrants further examination.
China is not itself listed as a processing country in the Microsoft Service Trust portal, but can such low levels of assurance still suffice for UK and EU customers after what the US government have just uncovered?
ProPublica’s suggestion that the GCC services were supported by China-based staff in Microsoft’s workforce carries with it an inference that this could apply to all of Microsoft’s Public Cloud services.
With two major US Federal clouds already under support from China, the UK and EU governments using Microsoft services should probably start asking themselves whether, even if they still have faith in Microsoft as a supplier, they can afford to extend that trust to the countries and people in their supply chain that provide their cloud support.
Owen Sayers is a senior partner at Secon Solutions LLP
Read more: Vibe coding creates great apps with lax security. But there are ways around that.
