by ProPublica ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as theyre published. For nearly a decade, Microsoft has used engineers in China to help maintain highly sensitive Defense Department computer systems. ProPublicas investigation reveals how a model that relies on digital escorts to oversee foreign tech support could leave some of the nations most sensitive data vulnerable to hacking from its leading cyber adversary.Here are the key takeaways from that report: Only U.S. citizens with security clearances are permitted to access the Defense Departments most sensitive data. Since 2011, cloud computing companies that wanted to sell their services to the U.S. government had to establish how they would ensure that personnel working with federal data would have the requisite access authorizations and background screenings. Additionally, the Defense Department requires that people handling sensitive data be U.S. citizens or permanent residents. This presented an issue for Microsoft, which relies on a vast global workforce with significant operations in India, China and the European Union. Microsoft established its low-profile digital escort program to get around this prohibition. Microsofts foreign workforce is not permitted to access sensitive cloud systems directly, so the tech giant hired U.S.-based digital escorts, who had security clearances that authorized them to access sensitive information, to take direction from the overseas experts. The engineers might briefly describe the job to be completed for instance, updating a firewall, installing an update to fix a bug or reviewing logs to troubleshoot a problem. Then the escort copies and pastes the engineers commands into the federal cloud.The problem, ProPublica found, is that digital escorts dont necessarily have the advanced technical expertise needed to spot problems.Were trusting that what theyre doing isnt malicious, but we really cant tell, said one current escort. The escorts handle data that, if leaked, would have catastrophic effects. Microsoft uses the escort system to handle the governments most sensitive information that falls below classified. According to the government, this includes data that involves the protection of life and financial ruin. The loss of confidentiality, integrity, or availability of this information could be expected to have a severe or catastrophic adverse effect on operations, assets and individuals, the government has said.Defense Department data in this category includes materials that directly support military operations. The program could expose Pentagon data to cyberattacks. Because the U.S.-based escorts are taking direction from foreign engineers, including those based in China, the nations greatest cyber adversary, it is possible that an escort could unwittingly insert malicious code into the Defense Departments computer systems.A former Microsoft engineer who worked on the system acknowledged this possibility. If someone ran a script called fix_servers.sh but it actually did something malicious, then [escorts] would have no idea, the engineer, Matthew Erickson, told ProPublica.Pradeep Nair, a former Microsoft vice president who said he helped develop the concept from the start, said a variety of safeguards including audit logs, the digital trail of system activity, could alert Microsoft or the government to potential problems. Because these controls are stringent, residual risk is minimal, Nair said. Digital escorts present a natural opportunity for spies, experts say. If I were an operative, I would look at that as an avenue for extremely valuable access. We need to be very concerned about that, said Harry Coker, who was a senior executive at the CIA and the National Security Agency. Coker, who also was national cyber director during the Biden administration, added that he and his former intelligence colleagues would love to have had access like that.Chinese laws allow government officials there to collect data as long as theyre doing something that theyve deemed legitimate, said Jeremy Daum, senior research fellow at the Paul Tsai China Center at Yale Law School. Microsofts China-based tech support for the U.S. government presents an opening for Chinese espionage, whether it be putting someone whos already an intelligence professional into one of those jobs, or going to the people who are in the jobs and pumping them for information, Daum said. It would be difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. Microsoft says the program is government-approved. In a statement, Microsoft said that its personnel and contractors operate in a manner consistent with US Government requirements and processes.The companys global workers have no direct access to customer data or customer systems, the statement said. Escorts with the appropriate clearances and training provide direct support. These personnel are provided specific training on protecting sensitive data, preventing harm, and use of the specific commands/controls within the environment.Insight Global a contractor that provides digital escorts to Microsoft said it evaluates the technical capabilities of each resource throughout the interview process to ensure they possess the technical skills required for the job and provides training. Microsoft says it disclosed details of the escort program to the government. Former Pentagon officials said theyd never heard of it. Microsoft told ProPublica that it described the escort model in documents submitted to the government as part of cloud vendor authorization processes. Former defense and intelligence officials said in interviews that they had never heard of digital escorts. Even the Defense Departments IT agency didnt know about it until reached for comment by ProPublica.I probably should have known about this, said John Sherman, who was chief information officer for the Defense Department during the Biden administration. He said the system is a major security risk for the department and called for a thorough review by [the Defense Information Systems Agency], Cyber Command and other stakeholders that are involved in this.DISA said, Experts under escort supervision have no direct, hands-on access to government systems; but rather offer guidance and recommendations to authorized administrators who perform tasks. There were warnings early on about the risks. Multiple people raised concerns about the escort strategy over the years, including while it was still in development. A former Microsoft employee, who was involved in the companys cybersecurity strategy, told an executive they opposed the concept, viewing it as too risky from a security perspective. Around 2016, Microsoft engaged contacts from Lockheed Martin to hire escorts. The project manager says they told their counterpart at Microsoft they were concerned the escorts would not have the right eyes for the job given the relatively low pay.Microsoft did not respond to questions about these points. Other cloud providers wouldnt say if they also use escorts. Its unclear whether other major cloud service providers to the federal government also use digital escorts in tech support. Amazon Web Services and Google Cloud declined to comment on the record for this article. Oracle did not respond to requests for comment.