Chinese engineers call the US escorts on Teams and tell them what to copy & paste into US government cloud terminals. The Chinese don't see the screen or touch the keyboard attached to the government cloud so they "don't" break the letter of the law.
The "program" is a logistical one and not a software one in which Microsoft employs Chinese software engineers to be "overseen" by US citizens that have security clearances, but not necessarily the requisite experience for say a code review level of oversight.
This article is trying to show it as more scary than it is. The key points are: this is systems up to secret level only and sessions are recorded and watched by an escort; the escort is not as tech savvy as the engineers performing maintenance (who are also Microsoft employees, from many countries of origin) but there are other controls too; they can’t just run unsigned code etc.
The top secret stuff isn’t using this system; it’s using cleared staff.
Chinese engineers are operating US government cloud computers by proxy. The Chinese just don't see the computer screen--a proxy copies & pastes their commands and reads back the results.
I work in azure and this is wildly mischaracterizing the risk, though it is news to me that there are non-US nationals doing escorts for the non-airgapped government clouds.
I assume it is OK to say this: Microsoft has a “China” cloud and a non-airgapped “US Government” cloud. It is standard practice that engineers making production touches in the clouds have to be “escorted” by vendors who make sure you’re not doing anything malicious. I assume the article is implying that these vendors for the US Gov cloud may be Chinese nationals.
As Jason mentions in another comment, anything actually requiring clearance is serviced by the airgapped clouds and only folks with clearance are able to operate there.
Edit: misread the article but the third paragraph stands. The government is totally aware of where the operator boundary lies and this is still wildly mischaracterized.
I think you mis-read the article. Chinese engineers are operating US government cloud computers by proxy. The Chinese just don't see the computer screen. A US grunt copies & pastes the Chinese's commands into the system during a Teams call.
well, I guess this probably explains the OPM breach. I wondered how they got hold of even the basic details needed for that, seems Microsoft was sending them targets by email voluntarily.
i don't really understand why folks are downplaying this in the comments:
some engineers who write the code for production US systems that contain controlled unclassified information live in china. the US government was unaware that this was happening because MSFT hid it from them. as a result, govt stakeholders are/were unable to assess the risk.
all MSFT ATO's should be revoked.
some of the comments point out that foreign workers will help maintain facilities overseas, but govt stakeholders are aware of this, assess the risk, and implement risk controls.
but shady M$FT hid this from govt, and that amplifies the problem!
19 comments
[ 4.4 ms ] story [ 46.9 ms ] threadThe fun of using Cloud type systems. I expect AWS, Google and maybe IBM Cloud has the same issue. Save $ now, pay lots more later.
Edit: It's people who watch over what foriegn engineers are doing.
The top secret stuff isn’t using this system; it’s using cleared staff.
I assume it is OK to say this: Microsoft has a “China” cloud and a non-airgapped “US Government” cloud. It is standard practice that engineers making production touches in the clouds have to be “escorted” by vendors who make sure you’re not doing anything malicious. I assume the article is implying that these vendors for the US Gov cloud may be Chinese nationals.
As Jason mentions in another comment, anything actually requiring clearance is serviced by the airgapped clouds and only folks with clearance are able to operate there.
Edit: misread the article but the third paragraph stands. The government is totally aware of where the operator boundary lies and this is still wildly mischaracterized.
Worst part is I'm not really surprised.
some engineers who write the code for production US systems that contain controlled unclassified information live in china. the US government was unaware that this was happening because MSFT hid it from them. as a result, govt stakeholders are/were unable to assess the risk.
all MSFT ATO's should be revoked.
some of the comments point out that foreign workers will help maintain facilities overseas, but govt stakeholders are aware of this, assess the risk, and implement risk controls.
but shady M$FT hid this from govt, and that amplifies the problem!
disclaimer: am google