Sen. Jeanne Shaheen (D-N.H.) pressed the Pentagon on Monday for answers about its guardrails on contractors following revelations that Microsoft was using China-based engineers to maintain the agency’s computer systems.
Shaheen, the top Democrat on the Senate Foreign Relations Committee, raised questions in a letter to Defense Secretary Pete Hegseth about the Pentagon’s implementation of a 2018 provision requiring defense contractors to disclose when a country considered a cyber threat has asked them to share their source code.
The provision passed as part of the National Defense Authorization Act in 2018. However, the Defense Department did not propose rulemaking until last November.
“[I]t unfortunately took the Department six years to take this initial step,” Shaheen wrote. “Meanwhile, PRC engineers were engaged in providing support to the DOD that could have exposed the Department to serious vulnerabilities.”
In mid-July, ProPublica reported that Microsoft was relying on China-based engineers, overseen by U.S. citizens with security clearances known as “digital escorts,” to maintain Defense Department systems.
Sen. Tom Cotton (R-Ark.) raised concerns about the practice to Hegseth. He noted in a letter that even though the practice technically met security requirements, the digital escorts “often do not have the technical training or expertise needed to catch malicious code or suspicious behavior.”
Shortly after, Microsoft announced it was making changes to ensure no China-based engineering teams were providing technical assistance for Defense Department cloud services.
Hegseth also announced a two-week review to “make sure that what we uncovered isn’t happening anywhere else” across the Defense Department.
“While I am encouraged that Microsoft has announced that it will end this arrangement, this incident raises serious questions about whether the DOD is fully implementing U.S. laws that require guardrails around the procurement of information technology (IT) systems,” Shaheen added in Monday’s letter.
The New Hampshire Democrat requested information about the timeline for implementation of the 2018 provision and why it took so long to propose rulemaking. She also pressed the Pentagon for details about its Microsoft contract, how it aims to mitigate similar risks going forward and the scope of its two-week review.
“As cybersecurity risks stemming from the PRC compound, the United States government should not be proactively opening the door to its critically sensitive IT systems due to a lack of U.S. government oversight,” she said.
