Microsoft to stop using China-based teams to support Department of Defense

In a significant policy change, Microsoft has decided to discontinue the use of engineering teams based in China for its support of the Department of Defense's cloud computing infrastructure. This announcement came after an investigation by ProPublica raised alarms about potential vulnerabilities to hacking and espionage. However, the Defense Department is not the only government entity affected by such practices. ProPublica’s findings reveal that Microsoft has employed its global workforce, including personnel from China, to maintain cloud services for other federal departments, such as Justice, Treasury, and Commerce. This activity has occurred within the Government Community Cloud (GCC), which, while not classified, handles sensitive information. The GCC is authorized by the Federal Risk and Authorization Management Program to manage information deemed to have a 'moderate' impact, meaning any breach could significantly disrupt agency operations or impact individuals. Notably, the Justice Department's Antitrust Division has relied on GCC for its investigation and litigation processes, as highlighted in a 2022 report. Additionally, segments of the Environmental Protection Agency and the Department of Education have also utilized this cloud infrastructure. Microsoft asserts that its foreign engineers working within the GCC were supervised by U.S.-based personnel known as 'digital escorts,' a protocol similar to what was implemented at the Defense Department. Despite these measures, cybersecurity experts have voiced concerns about the risks associated with foreign support in the GCC. Rex Booth, a former federal cybersecurity official and now the chief information security officer at SailPoint, noted a common misconception: that unclassified data poses no threat. Booth emphasized that the vast amounts of data stored in cloud services, coupled with AI's capability to analyze this data quickly, could reveal sensitive insights that might jeopardize U.S. interests, even if the data itself is not classified.