​The digital escort fraud: another major Pentagon security failure

Microsoft was caught with its pants down in a brilliant exposé by ProPublica that said that a major part of the Defense Department’s Cloud Computer system was run by Chinese engineers and monitored by so-called digital escorts who supposedly looked out for any compromise of DOD information. Now, when Senator Tom Cotton called Defense Secretary Hegseth’s attention to the mess, Microsoft withdrew the Chinese engineers and pretended everything was fixed.

Nothing could be farther from the truth.

Back in April, 2018 I participated at the Hudson Institute in a special panel review of the then-Pentagon plan to transition all its heritage computer databases to a single computer cloud. (Watch the full video here.) The Pentagon plan was to shut down the old computer systems after the cloud was up and running. DOD claimed that the cloud would be easier to maintain than a number of separate computers, and more secure.

DOD’s problem is that it has done a poor job on cyber security for years – and DOD contractors and sub-contractors, operating under weak departmental guidance, have been even worse.

There have been many scandals as the so-called “advanced persistent Cyber threat” has continued to get worse.

A persistent cyber threat is one that operates in the shadows for long periods of time and steals vast quantities of sensitive information. At the time of the DOD cloud proposal, government and contractor computers were under constant attack from hackers. Some of these hackers were teams of Chinese and Russian operators, others came from domestic and international hackers who could sell the acquired information to different bidders, including terrorists. Still others were from rogue countries who are still engaged deeply in hacking, including from North Korea and Iran.

Around the same time DOD determined that around 50 gigabytes or more F-35 stealth fighter jet data had disappeared. We know where it went: China. And we know the result: China was able to field a stealth fighter jet in record time.

Of course it was not only the design information and other details that enabled China to be successful: China also conducts industrial espionage in depth, so its agents can penetrate US contractors and subcontractors and infiltrate their supplier networks.

The US classifies some sensitive information, but actually quite a lot less than one might think. This enables contractors to work without the burden of cleared workers. We have seen numerous cases of people caught working in critical companies smuggling components needed by China either for further exploitation or use.

In regard to cloud security in 2018 I said:

DoD has laid down its own standards, if you want to call them that, or guidelines, if you want to call them that, on what it expects the security of a system that it’s going to procure should look like. And basically what they’ve done, for the most part, is two things. One, of course, is to make sure the employees that are working in the cloud environment that’s being proposed are cleared American employees.

That, by the way, creates a significant problem in being able to find enough cleared American employees to do the job. And I’m not sure they are so readily available. But that is definitely a challenge, let’s say, that’s out there. And the second is to take some of the procedures that are used to secure DoD’s existing computers and servers and equipment and apply that to the cloud.

We understood, in 2018, that the cloud security problem was supposedly solved by using only security-cleared American employees. It seems that the pledge was violated by the Defense Department, which permitted foreign workers to support and service the DoD cloud so long as they were “supervised.” The supervisors are called “digital escorts.” The workers, so far at least in Microsoft’s case, turn out to be Chinese.

Chinese engineers work remotely in China, and it is probably a fair assumption that digital escorts allegedly monitor the work of the Chinese engineers, also remotely. In other words, the so-called escorts are virtual, they don’t sit next to the Chinese operators.

We do not know anything really about the qualifications of the digital escorts, or even if they understand the Cloud network they are supposedly protecting. They would have to understand the actual cloud software and the underlying processors, and they would need to follow guidelines on what might constitute any sort of breach of the protocols or data by the Chinese.

Any clever operator in China could figure out how to insert malware into the cloud, but actually since they have full time access to it anyway there is no overpowering reason for them to do so. Instead they can just suck up all the data and run it through their supercomputers, or even their latest quantum computers. China leads the world in quantum computers, and if they really do work, they can smash encryption codes in seconds.

DoD information in the cloud is supposed to be encrypted, or at least we are told that. But that may just be the outside of the system to keep out random hackers. The actual information may not actually be encrypted. That would mean a potential bonanza for China and a huge risk to US security.

The original DOD contract was supposed to be to a single contractor. However, complaints from industry and the public – and from security experts, as in our panel discussio – pushed the department to support more than one cloud application (and also may have allowed for some backup if a cloud operation crashed, for whatever reason, although DoD has not told us about any backup).

The question arises: If Microsoft was using Chinese engineers, were the other cloud providers doing the same thing, and did they have digital escorts, or something like them?

Along with Microsoft, other participants in the DoD cloud contract, initially for $9 billion, were Amazon, Google and Oracle. All of them do business in China. Oracle has offices in Beijing. Amazon has offices in Beijing, Shanghai and Wuhan. Google has offices in Beijing, Shanghai and Shenzhen. Of course we do not know if DoD granted them the same deal they allowed for Microsoft, but it is important to find out.

Or maybe DOD never agreed to digital escorts and Chinese engineers? We don’t really know, but it is unlikely Microsoft could have hired Chinese engineers without some Defense Department input. If DoD never approved, then it is another example of a security failure. If they did approve, of course, it is also a security failure. Either way it is a disaster.

Hegseth understands the digital escort issue is a big deal, but he cannot just accept Microsoft’s decision to end China’s participation in the Defense Department cloud. Hegseth needs to back a full scale inquiry and investigation. We need an assessment of how much damage was done and, potentially, what programs may have possibly been compromised.

Such an investigation has to assess just how long the Digital Escort system has been in place. How long has China had access to the Defense Department’s computer heartland? Hegseth needs to find out what the other contractors are doing and if they are using foreign workers.

Finally there is a serious question about outsourcing American security to private contractors, especially those who are not core defense contractors and who depend on foreign revenues to support their bottom line. Companies that are mainly commercial are inherently a risk because they lack a security culture and always want to expand into markets that can prove difficult and risky. Putting trust in them raises more than eyebrows.

Stephen Bryen is a special correspondent to Asia Times and a former US deputy undersecretary of defense for policy. This article, which originally appeared in his Substack newsletter Weapons and Strategy, is republished with permission.