Defense Secretary Pete Hegseth says Chinese coders accessed sensitive Pentagon data through Microsoft and blamed the Biden administration for the security lapse.
Mr. Hegseth disclosed in a video message posted on the Pentagon website Wednesday that the program known as “digital escort” was disclosed last month and has been canceled after a review.
“For nearly a decade, Microsoft has used Chinese coders, remotely supervised by U.S. contractors, to support sensitive [Defense Department] cloud systems,” he said, adding that the program was designed to comply with defense contracting rules.
However, the use of Chinese technicians “exposed the department to unacceptable risk,” he said.
“I mean, if you’re thinking America first and common sense, this doesn’t pass either of those tests,” Mr. Hegseth said.
Mr. Hegseth blamed the questionable program on the Biden and Obama administrations.
A vulnerability review was launched last month and the use of Chinese nationals to service Pentagon cloud storage is over, he said.
A formal letter of concern was also sent to Microsoft documenting what the secretary said was a “breach of trust” by the software giant.
An audit by an outside agency is being conducted to check on software code submitted by Chinese nationals, and a separate Pentagon investigation is underway on Microsoft’s use of Chinese nationals.
“These investigations will help us determine the impact of this digital escort workaround,” Mr. Hegseth said. “Did they put anything in the code that we didn’t know about? We’re going to find out.”
The Pentagon also had ordered all software vendors to identify and terminate any Chinese involvement in defense networks.
“It blows my mind that I’m even saying these things … [or] that we ever allowed it to happen,” he said. “That’s why we’re attacking so hard.”
Vendors working with the Defense Department are expected to place U.S. national security interests ahead of maximizing profits, he added.
“I’m committed, like the president is, to ensuring that our national security networks are secure. Again, it’s America first, and it’s common sense. This never should have happened in the first place, but once we found out about it, we attacked it aggressively from the beginning, and we’re going to follow all the way through the tape to make sure that this is addressed,” Mr. Hegseth said.
The use of Chinese engineers by Microsoft to maintain Pentagon computer systems was first disclosed in an investigative report by ProPublica on July 15.
The program used Americans with security clearances to oversee the work of the Chinese technicians to prevent espionage and sabotage.
However, the report said the Pentagon workers often lacked the technical expertise to police the Chinese coders.
Microsoft said it has ended the use of Chinese-based engineering teams for the Pentagon cloud system.
“We remain committed to providing the most secure services possible to the U.S. government, including working with our national security partners to evaluate and adjust our security protocols as needed,” a Microsoft spokesman said in a statement.
China remains the most aggressive state sponsor of cyberespionage, a problem that has involved damaging attacks on U.S. government computer networks for more than two decades.
Nearly all government computer networks have been victims of Chinese cyberattacks, including critical infrastructure networks, military networks, business systems and university networks.
The Microsoft digital escort program did not handle classified information but included highly sensitive unclassified information.
John Sherman, the Pentagon’s chief information officer during the Biden administration, said he was surprised and concerned to learn of the use of Chinese nationals.
“I probably should have known about this,” he said.
Microsoft reportedly did not fully inform the Pentagon about its use of Chinese nationals in the program.
Sen. Tom Cotton, Arkansas Republican and chairman of the Senate Select Committee on Intelligence, wrote to the Pentagon in July to voice his concerns about the problem.
“Chinese state-sponsored hacking campaigns have long targeted U.S. officials through Microsoft systems,” Mr. Cotton said.
“The U.S. government recognizes that China’s cyber capabilities pose one of the most aggressive and dangerous threats to the United States, as evidenced by infiltration of our critical infrastructure, telecommunications networks, and supply chains,” he said. “DoD must guard against all potential threats within its supply chain, including those from subcontractors.”
