On July 15, 2025, ProPublica published a sweeping investigation revealing that Microsoft had, for nearly a decade, allowed engineers based in China to remotely support sensitive Department of Defense (DoD) cloud systems. The degree to which the arrangement was known within federal agencies that relied on a work-around known as the “digital escort” program, in which US-based personnel with US national security clearances would input commands provided by foreign engineers into Pentagon-linked infrastructure remains in question.
Congress questions digital escort processes — Microsoft reverses its policies
Senator Tom Cotton (R-AR) demanded an immediate reckoning. In a letter to the Pentagon, Cotton called for a list of DoD contractors using Chinese personnel to provide maintenance or support to DoD systems. He questioned the training protocols for digital escorts on how to identify suspicious activity. Cotton also asked for a list of subcontractors that hire digital escorts for Microsoft (or any other entity) and their interview and technical assessment process.
Microsoft quickly issued a statement on social networking platform X (formerly Twitter) through Chief Communications Officer Frank X. Shaw, announcing a full policy reversal: “Microsoft has made changes to our support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services.” The company emphasized its commitment to secure services and pledged to work with national security partners to evaluate and adjust its protocols.
What the program was — and how it worked
The digital escort model, according to ProPublica, was designed to comply with federal contracting rules that prohibit foreign nationals from directly accessing sensitive government systems. Under this framework:
- China-based engineers would file support tickets for tasks such as firewall updates or bug fixes.
- US-based escorts — often former military personnel hired for their clearances — would copy and paste the engineers’ commands into DoD cloud environments.
- These escorts frequently lacked the technical expertise to vet the code they were executing, creating a security blind spot.
Microsoft maintained that global support personnel had “no direct access to customer data or systems,” and that escorts were trained to protect sensitive data. However, internal sources and former employees told ProPublica that the system was inherently risky and poorly understood, even by senior officials at the Defense Information Systems Agency (DISA).
Identified risks and expert warnings
While I may not be the most technical in the cybersecurity world, it seems these risks were not theoretical. Experts cited multiple vulnerabilities:
- Malicious code injection: Escorts could unknowingly execute scripts that compromised system integrity.
- Espionage potential: Chinese engineers had visibility into system architecture and workflows, offering a vector for intelligence collection.
- Compliance laundering: The escort model allowed Microsoft to technically meet federal requirements while sidestepping their intent.
Harry Coker, former CIA and NSA executive, called the program a “natural opportunity for spies.” Jeremy Daum of Yale Law School emphasized that Chinese law makes it difficult for citizens or companies to resist government data requests, “That’s the risk baked into cross-border support.”
As a long-in-the-tooth former HUMINT officer myself, I’ll say it plainly: If I had created a channel where trusted insiders piped code into systems of interest, I’d have created an intelligence superhighway, one so efficient and self-sustaining, it would rival the infamous self-licking ice cream cone. Elegance is the cover: plausible cyber administrative or compliance tasks.
In Microsoft’s defense and based on the broad lack of knowledge within the DoD, there doesn’t seem to have been any guardrails to prevent this from occurring as former DoD CIO John Sherman during the Biden administration told ProPublica, “I probably should have known about this.” He opined that the system is a major security risk for the department and called for a “thorough review by DISA, Cyber Command, and other stakeholders.”
DISA for its part apparently focused on the level of access afforded the foreign engineers and stepped right through the intent of the digital escort. DISA noted, “Experts under escort supervision have no direct, hands-on access to government systems; but rather offer guidance and recommendations to authorized administrators who perform tasks.” Which leaves one scratching one’s head, if, as ProPublica presents, those same escorts lacked the technical chops to discern potential threats being provided to them to insert into the DoD systems.
Department of Defense responds
The wagons have circles and fingers are pointing. Defense Secretary Pete Hegseth condemned the practice, stating: “Foreign engineers, from any country, including of course China, should NEVER be allowed to maintain or access DoD systems.” He ordered a two-week audit of all cloud contracts to identify similar vulnerabilities.
While Microsoft is the focus, other cloud vendors — Amazon Web Services, Google Cloud, or Oracle — haven’t said whether they use digital escorts and foreign engineers in support of sensitive government programs. ProPublica notes that these vendors either didn’t answer or had no comment on whether they use similar arrangements.
As of July 21, 2025, this audit is under way, and its findings are pending. The results may reveal whether the digital escort-style systems exist elsewhere, and whether federal oversight has kept pace with the globalization of technical support.
What comes next
It appears the DoD was relying on common sense by vendors, such as Microsoft, to maintain system integrity and security. While the digital escort may have technically met federal contracting criteria, the use of foreign engineers seemed to fly in the face of basic counterintelligence doctrine and intent, to prevent foreign access and potential espionage.
As the Pentagon’s audit unfolds, the question isn’t just whether Microsoft crossed a line, it’s whether the line itself was clearly drawn.