by Renee Dudley, with research by Doris Burke at Pro Publica
The tech giant is required to regularly provide U.S. officials with its plan for keeping government data safe from hacking. Yet a copy of Microsoft’s security plan obtained by ProPublica makes no reference to the company’s China-based operations.
Microsoft, as a provider of cloud services to the U.S. government, is required to regularly submit security plans to officials describing how the company will protect federal computer systems.
Yet in a 2025 submission to the Defense Department, the tech giant left out key details, including its use of employees based in China, the top cyber adversary of the U.S., to work on highly sensitive department systems, according to a copy obtained by ProPublica. In fact, the Microsoft plan viewed by ProPublica makes no reference to the company’s China-based operations or foreign engineers at all.
The document belies Microsoft’s repeated assertions that it disclosed the arrangement to the federal government, showing exactly what was left out as it sold its security plan to the Defense Department. The Pentagon has been investigating the use of foreign personnel by IT contractors in the wake of reporting by ProPublica last month that exposed Microsoft’s practice.
Our work detailed how Microsoft relies on “digital escorts” — U.S. personnel with security clearances — to supervise the foreign engineers who maintain the Defense Department’s cloud systems. The department requires that people handling sensitive data be U.S. citizens or permanent residents.
Microsoft’s security plan, dated Feb. 28 and submitted to the department’s IT agency, distinguishes between personnel who…
Continue Reading