This article is trying to show it as more scary than it is. The key points are: this is systems up to secret level only and sessions are recorded and watched by an escort; the escort is not as tech savvy as the engineers performing maintenance (who are also Microsoft employees, from many countries of origin) but there are other controls too; they can’t just run unsigned code etc.
The top secret stuff isn’t using this system; it’s using cleared staff.
The "program" is a logistical one and not a software one in which Microsoft employs Chinese software engineers to be "overseen" by US citizens that have security clearances, but not necessarily the requisite experience for say a code review level of oversight.
I am flabbergasted that the United States government does not have a requirement that anyone who touches their systems MUST be a vetted US citizen.
So the digital escorts are basically human kvm switches to firewall things off... seems like a bad program.
Did I miss it, but what do these "digital escorts" actually do. The article doesn't seem to actually explain it.
Edit: It's people who watch over what foriegn engineers are doing.
There's a lot of Microsoft programs that could expose the defense department to hackers.
i don't really understand why folks are downplaying this in the comments:
some engineers who write the code for production US systems that contain controlled unclassified information live in china. the US government was unaware that this was happening because MSFT hid it from them. as a result, govt stakeholders are/were unable to assess the risk.
all MSFT ATO's should be revoked.
some of the comments point out that foreign workers will help maintain facilities overseas, but govt stakeholders are aware of this, assess the risk, and implement risk controls.
but shady M$FT hid this from govt, and that amplifies the problem!
disclaimer: am google
well, I guess this probably explains the OPM breach. I wondered how they got hold of even the basic details needed for that, seems Microsoft was sending them targets by email voluntarily.
Worst part is I'm not really surprised.
> Pentagon bans foreign citizens from accessing highly sensitive data, but Microsoft bypasses this by using engineers in China ...
The fun of using Cloud type systems. I expect AWS, Google and maybe IBM Cloud has the same issue. Save $ now, pay lots more later.
The Microsoft tech debt dumpster fire continues.
I work in azure and this is wildly mischaracterizing the risk, though it is news to me that there are non-US nationals doing escorts for the non-airgapped government clouds.
I assume it is OK to say this: Microsoft has a “China” cloud and a non-airgapped “US Government” cloud. It is standard practice that engineers making production touches in the clouds have to be “escorted” by vendors who make sure you’re not doing anything malicious. I assume the article is implying that these vendors for the US Gov cloud may be Chinese nationals.
As Jason mentions in another comment, anything actually requiring clearance is serviced by the airgapped clouds and only folks with clearance are able to operate there.
Edit: misread the article but the third paragraph stands. The government is totally aware of where the operator boundary lies and this is still wildly mischaracterized.