Microsoft Uses Chinese Engineers To Maintain Defense Department Systems Under Minimal US Oversight

Microsoft employs engineers in China to help maintain Defense Department computer systems, with U.S. citizens serving as "digital escorts" to oversee the foreign workers, according to a ProPublica investigation. The escorts often lack advanced technical expertise to police engineers with far more sophisticated skills, and some are former military personnel paid barely above minimum wage.

"We're trusting that what they're doing isn't malicious, but we really can't tell," one current escort told the publication. The arrangement, critical to Microsoft winning federal cloud computing contracts a decade ago, handles sensitive but unclassified government data including materials that directly support military operations. Former CIA and NSA executive Harry Coker called the system a natural opportunity for spies, saying "If I were an operative, I would look at that as an avenue for extremely valuable access."

Meanwhile Europe let

[simlox]

US companies manage our critical infrastructure. Or is it really to China?

That's ridiculous

[rsilvergun]

We use North Koreans pretending to be Chinese to manage the European infrastructure.

As always big business and profit will always take precedence over safety and security.

Re:

[Teun]

Oh?
Tell me more!

Re:

[MacMann]

As always big business and profit will always take precedence over safety and security.

Profit always comes first, that's something Mike Rowe from Dirty Jobs has pointed out in some of the YouTube videos he's posted before. If there is no profit then the business will be forced to close when the money runs out. With the business closed then just how much security is there on any data they collected? Maybe they thought to shred everything in the process of closing up shop. Or maybe they were so deep in debt that they didn't even have the money to buy a box of matches to burn all the papers

Bullshit

[rsilvergun]

Profit comes first doesn't mean you keep the business open. Plenty of businesses can be plenty profitable but it's never enough.

Profit comes before human lives. Humans are disposable shareholder value is not. That's because shareholder value serves the ruling class.

And as a dedicated nation of 12-year-olds America refuses to acknowledge the existence of their ruling class.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ZorroXXX]

This post is about Microsoft and it's poor to nonexistent security practices when dealing with a very high security client(DoD). It's nothing about U.S politics

And how the hell is how to manage DoD, an executive department of the U.S. federal government, not politics?

Re:

[Austerity Empowers]

This was to solve the dietary problem where American's were consuming too much produce and unprocessed food. Now that it's finally too expensive, we'll get back to hot-dogs and bologna as God intended.

Two Reasons

[SlashbotAgent]

1. Indians are getting expensive.

2. There are not enough H1Bs(See #1.)

Re:Two Reasons

[Zontar_Thing_From_Ve]

1. Indians are getting expensive.

2. There are not enough H1Bs(See #1.)

I have a friend who works for a US company that has started hiring remote workers in Nepal because "people in India are too expensive". He has no idea what they will do when people in Nepal get "too expensive". His company basically froze hiring in India and while the current Indian workers aren't in any immediate danger of losing their jobs, he told me all of them got moved into contracting jobs that his company can end at any time. He was in low level management for a while and in his current job he is in a position to know that.

Re:

[keltor]

Weird, Nepal has higher rates than India.

Re:

[mjwx]

1. Indians are getting expensive.

2. There are not enough H1Bs(See #1.)

I have a friend who works for a US company that has started hiring remote workers in Nepal because "people in India are too expensive". He has no idea what they will do when people in Nepal get "too expensive". His company basically froze hiring in India and while the current Indian workers aren't in any immediate danger of losing their jobs, he told me all of them got moved into contracting jobs that his company can end at any time. He was in low level management for a while and in his current job he is in a position to know that.

It's the same thing with Mexico, companies went to India because places like Mexico got too expensive.

India is becoming expensive and Indian oligarchs know it, so they are now demanding Indians work 80 hours a week for the same pay.

I doubt they're moving off to Nepal though as Nepal doesn't have the infrastructure.

Re:Two Reasons

[jenningsthecat]

1. Indians are getting expensive.

2. There are not enough H1Bs(See #1.)

3. American corporations put profit above all else.

4. Corporations enjoy the best government, the best legislation, and the laxest enforcement their money can buy when it comes to oversight and enforcement.

5. The "fines" which pass for deterrence and punishment are laughably small.

Re:

[vlad30]

The "fines" which pass for deterrence and punishment are laughably small.

The fines need to be based on revenue and non negotiable in court at least 10% maybe 20% of all company revenue over the time period the infraction was incurred. The first company forced to pay would make the rest think very fast. I would be surprised if this didn't violate DOD contract terms hiring non-US citizens

Re:

[keltor]

I cannot speak to what Microsoft is paying, but for sure all my Chinese engineers make almost identical to what the Indian engineers make. Also, they typically don't leave the company, I have Chinese co-workers who I've worked with for 20 years, but Indians all leave.

We do have Nepali engineers but they live in Japan and get paid Japan rates.

Microsoft does the cheapest crap they can

[gweihir]

... that they think they can get away with. So this is absolutely no surprise. Caveat Emptor.

I evaluated a system like this for a major bank about 15 years ago. We concluded that you need two people (!) with significantly higher skill and systems knowledge (!) that per person supervised and in addition a system where every line the non-trusted person types gets released by the "escorts" after analysis for it to become effective. We did run some experiments with two experts and the "malicious" person was easily able to slip things past the "supervisor". The bank still accepted the system because it was cheaper. And yes, they had a major (non-published) security incident later as a result were one engineer did install a backdoor under this system and was only caught weeks later. The backdoor was just for remote work, so they got lucky. (The person that installed the backdoor was not very smart.) But it nicely shows that such a supervision system does not work unless you invest high effort and then any cost savings are gone.

How, just how do we outsource our security?

[sierra077]

Seriously WTF. The contortions they go through to outsource. First, it's apparently cheaper to hire a dummy with a security clearance (so-called escort) and a Chinese programmer than just hire a U.S. citizen! Actual security be damned! Management, including the U.S. government thinks this is a good idea (detractors voicing concern are ignored as usual).

Second, if you have to review even moderately complex code, it usually takes more time to review than write it, even if you are more skilled than the

Re:

[evil_aaronm]

Profits uber alles! No, really. Security is less important than making money.

Re:

[gweihir]

For Microsoft? Always has been, always will be. They need to die before things get any better.

Re:How, just how do we outsource our security?

[AnOnyxMouseCoward]

That's exactly it. The vast majority of societal complaints that people have in the last few decades (and probably before too) can be traced to greed and uncontrolled capitalism. In the pursuit of money, values crumble. Is the risk-adjusted cost of less security greater or lower than the cost of enforcing better security? Microsoft has obviously done the math (and perhaps they're bad at math, only the future can tell).

Re:

[MacMann]

If you aren't making a profit then there's no means to afford security. Think on that for a bit.

Re:

[evil_aaronm]

You're missing my point, then. When you put pursuit of profit ahead of safety, then you likely end up with neither. Because, much like the case in the fine summary, we're giving people access to our security who could undermine that very security. Think on that for a bit.

Re:

[MacMann]

I believe I see where you are coming from but that can't be a long term strategy, putting security and safety above profit. That might work for a startup where there's no expectation of profit in the first year or two of operation, but at some point profit must come first or you are just going to run out of money. If this is funded by some investors then it might not be your own money you run out of, but it's put profit first at some point or there's no money to afford security and safety. Profit would c

Re:

[gweihir]

Yep. I call this "total loss of context". "Mindless greed" would also be a possibility. And the ones that approved this should definitely go to prison for that and MS should get blacklisted as a supplier for 10 years or longer.

I evaluated such a system about 15 years back for a major bank. Turns out, for this to work you need at least 2 supervisors, they need to know significantly more than the person supervised and everything becomes dog-slow as every line entered needs to be analyzed and then approved. Ob

Not new

[kackle]

Hold on to your hat. [nypost.com]

The cloud makes it better

[TuballoyThunder]

If you don't understand that, then you are stuck in the old paradigm. Watch this video [youtube.com] if you want to see an expert explain the strategy for transitioning to the cloud.

Re:

[zlives]

please pay attention, we are on the AI bandwagon now.

Re:

[gweihir]

Yep, the "new stupid" has replaced the "old stupid" now. Get with the times!

This sentence puts the hammer in facepalm.

[nightflameauto]

"We're trusting that what they're doing isn't malicious, but we really can't tell," one current escort told the publication.

We truly are living in the stupidest timeline. Who in their right god damned mind would let this happen?

Re:This sentence puts the hammer in facepalm.

[DarkOx]

Globalists - who are of course out of their GDed minds.

That is who let this happen. It all stems from the same anti-nationalist mentality that emerged after the second world war and was allowed to take over western academia.

The thinking goes if everyone depends on everyone else nobody will fight any more. Of course reality is not all dependence is created equal. Leaders like Xi understand depending on a consumer market is different then depending on supplier. Sure if they decided to start WWIII we'd quit buying, all those factors can focus on making weapons until the smoke clears, on the other hand no matter how much you want to use the defense production act, you are not getting any shells or aircraft produced in those Glodman Sachs office, McDonalds restaurants, or CVS pharmacies.

National security is a game to these people. Oh the US governemnt contract says everyone has to be a citizen with a clearance or directly supervised by one. Never mind why the rule exists or what it was supposed to accomplish, Microsoft upper management knows perfectly well in this case the latter practice can't be very effective, they just don't give a F*** they can win the bid, that is all they care about.

Re:This sentence puts the hammer in facepalm.

[backslashdot]

Nationalism will doom the planet. Globalism is the way forward for humanity. Consider, 500 years ago, it would take days to travel to two cities within the same country (for example Berlin to Munich.) Now, people can travel to any country in the world in less than 24 hours. Within a few centuries there would inevitably be little to no cultural differences. Tribalism will lead to evil -- note various cultures will still be studied and preserved the same way people do Celtic dance today.

Re:

[backslashdot]

Decided what? You don't own everyone in your culture. You can't tell your neighbors what to do.

Re:

[mjwx]

Nationalism will doom the planet. Globalism is the way forward for humanity. Consider, 500 years ago, it would take days to travel to two cities within the same country (for example Berlin to Munich.) Now, people can travel to any country in the world in less than 24 hours. Within a few centuries there would inevitably be little to no cultural differences. Tribalism will lead to evil -- note various cultures will still be studied and preserved the same way people do Celtic dance today.

This, we're seeing the rise of ultra-nationalism in western countries and it will be the destruction of us if it's not stopped.

Also the GP is wrong. Globalism didn't start in the 1940s or 50s after the fall of fascism, it started in the 80s after the rise of Reagan/Thatcherism. The rise of ever more right wing policies has enabled and encouraged more and more jobs and industries to be sent overseas in the name of increased shareholder value. The 50's, economically at least were a good time for the US (So

Re:

[gweihir]

We truly are living in the stupidest timeline. Who in their right god damned mind would let this happen?

Who says the people calling the shots at MS and at the DoD are rational? Most people on this dirtball are not.

Deeply insufficient

[Gravis Zero]

"We're trusting that what they're doing isn't malicious, but we really can't tell," one current escort told the publication.

The purpose of their presence is obviously a CYA move by Microsoft so they can say, "well we had people watching them" when it hits the fan.

Anyone using Microsoft Azure should assume all their data is being collected for use by the CCP.

National security and cybersecurity experts contacted by ProPublica ...

A Microsoft contractor called Insight Global posted an ad in January seeking an escort to bring engineers without security clearances “into the secured environment” of the federal government and to “protect confidential and secure information from spillage,” an industry term for a data leak. The pay started at $18 an hour.

Yeah, this seems like a pretty clear violation of the law. Someone is going to jail for this and anyone who knew about it is losing their security clearance.

Re:

[gweihir]

"We're trusting that what they're doing isn't malicious, but we really can't tell," one current escort told the publication.

The purpose of their presence is obviously a CYA move by Microsoft so they can say, "well we had people watching them" when it hits the fan.

Which will hopefully be when some of the doubtlessly numerous placed backdoors gets found, not when the US and China have a military conflict and the Chinese know all the plans and everything in advance.

Someone is going to jail for this and anyone who knew about it is losing their security clearance.

Hopefully. And definitely some people as MS as well. This is not just "endangering national security", this is handing it to the enemy on a silver platter.

and what about the other system ?

[Growlley]

you know the one that allowed the current one to be put in place, the politicians are so bent Im suprised they can remeber who bought them this week,

What could possibly go wrong?

[gestalt_n_pepper]

Do I even have to spell this out? WTF is wrong with the military command that would allow this?

Re:

[gweihir]

I can only suspect total non-understanding and too much arrogance to ask an actual expert.

I evaluated a system like this in the past and found that it cannot work unless you invest significantly more money than a trustworthy expert would cost.

Security Through Theatrics

[crunchygranola]

We're trusting that what they're doing isn't malicious, but we really can't tell," one current escort told the publication.

Narrator: some of them are doing malicious things.

Security theater at its finest. At least the escort can tell that they are not obviously goofing off, maybe the only thing Micro$oft cares about.

Re:

[gweihir]

At least the escort can tell that they are not obviously goofing off, maybe the only thing Micro$oft cares about.

I would not even bet on that...

is slashdot doing it too?

[drinkypoo]

Today the site is all goofy, at least on mobile. No comment count updates, comments are sorted incorrectly...

Re:

[gweihir]

Some server issues. I had this story here appear, tried to comment, and then it vanished. A few minutes later it appeared again. Nothing to do with mobile.

The real question

[kid_wonder]

Yes, we are all appalled and shocked.

Who are the people that heard this idea and did not immediately strike it as an option. There is nothing ambiguous about the idea of using foreign workers to maintain state security apparatus. I don't care what country you live in, that is a horrible idea.

So here is the real question: Is this treasonous?

Re:

[gweihir]

So here is the real question: Is this treasonous?

Does treason require intent? If so, it is probably only treason on MS side. They _will_ have known this is not secure and does not work to ensure security. If you can do stupid-treason, then yes, treason all around for everybody that made or supported this decision.

But it's not just the DOD!

[bbsguru]

Microsoft is also providing these same sensitive data management 'services' to 100% of the Federal Judiciary, and many of the Executive branch departments.

Yes, including the department of Commerce. Nothing to see here, pay no attention to the helpful manager.

All your base are belong to us.

What frakking moron approved this?

[LazLong]

This is one of the absolute most stupid things I have ever heard of. This kind of shit would not have past muster during my time in DoD or DoE. With decisions like this, maybe we deserve to be hacked.

Re:

[gweihir]

Indeed. It is really, really hard to imagine anything more stupid and disconnected from reality. The Chinese are probably still incredulous at this extreme level of stupid. I mean, there is not even a remotely credible effort to keep them out.

Re:

[gargeug]

Maybe that is the point. Like a honeypot. Let the Chinese send waves in after it and just observe it all to learn more. And make sure the compromised data isn't real important. DoD had a DEI department, let them manage that data on an isolated network.

Re:

[gweihir]

A honeypot via an obviously active cloud system? No.

Re:

[ZorroXXX]

Well, minimal government oversight is good for business when your goal is to purely grift for your own benefit at the expense of everyone else, so as such it is not that surprising that this is happening under the Trump administration.

Re:

[LazLong]

It's been going on for ten years according to the article. Really, I can't believe someone approved this. Just replace DoD with "Jews" and China with "Hitler" and tell me it makes sense.

Why Microsoft at the Defence Department?

[ukoda]

I have long stop advocating for Linux over Microsoft. People have their reasons for their choices and life to too short to worry about it unless that person is family or a friend. However I was shocked the first time I saw a image of Windows running on a warship, it kind of shattered my perception of the USA being a might war power with visions of in coming missiles and a commander asking why their antimissile system had chosen then to do a force reboot?

To my mind the military was mean to be discipline

Re:

[gargeug]

Most versions of Windows used in DoD systems like that start as a Secure Host Baseline, which has been cleaned of much of the stuff Windows does that annoys people. After that they are religiously managed as an IS. At its core, Windows does work, and it has likely been vetted to the caliber you are expecting. They're not buying Home edition and connecting it to the internet.

Lots of development systems might start on a Linux machine, but to make it 'sailor proof' it migrates to Windows. Mainly because of the