Another Supply Chain Vulnerability

ProPublica is reporting:

Microsoft is using engineers in China to help maintain the Defense Department’s computer systems—with minimal supervision by U.S. personnel—leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found.

The arrangement, which was critical to Microsoft winning the federal government’s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.

But these workers, known as “digital escorts,” often lack the technical expertise to police foreign engineers with far more advanced skills, ProPublica found. Some are former military personnel with little coding experience who are paid barely more than minimum wage for the work.

This sounds bad, but it’s the way the digital world works. Everything we do is international, deeply international. Making anything US-only is hard, and often infeasible.

EDITED TO ADD: Microsoft has stopped the practice.

Tags: China, risks, supply chain, vulnerabilities

Posted on July 21, 2025 at 7:04 AM • 16 Comments

Comments

Greg Hunt • July 21, 2025 7:44 AM

Not infeasible, expensive. Underlying the deeply international nature of the digital world is a focus on profit margin maximisation and on commercial competition. This pressure then influences IT methodologies, processes and system designs toward lower cost and lower skill approaches that are simply not thought through.

Doug • July 21, 2025 9:00 AM

lucrum ante omnia

wiredog • July 21, 2025 11:58 AM

About 8 years ago Microsoft realized that AWS had run away with all the cloud stuff on the classified side so they decided to port Azure to the high side, and they had a government customer up near Baltimore who wanted that, so they started the process. The first problem they ran into was that Azure was designed, from the beginning, to be run from Redmond. All of it reported back constantly on what it was doing. This was, of course, completely unacceptable to the government customer. But Microsoft didn’t want to fork Azure. So the first problem was adapting Azure so it could work air gapped. The next, and where I came in, was how to monitor Azure and deal with any issues. They certainly didn’t want to have to throw a team of cleared software devs on an airplane every time something happened, and the customer didn’t want to wait 2 days for the team to get there. Also, there weren’t any scifs in Redmond…

So I, and a couple other people were hired to learn the innards of Azure and act as the local support team. Worst case, we would figure out how to cleanse logs of any classified information to send to the engineers in Redmond.

I remember the first time I walked in to a meeting with the overall team in Redmond. I turned to my manager and asked “Can I ask how many of them are citizens?” “No.” “How many on H1s?” “Don’t know.”

Anyway I lasted about 3 months before every other week in Redmond got to be too much and we went our separate ways.

I will say that the Azure code I saw was extremely well documented, especially the clever bits.

pattimichelle • July 21, 2025 1:10 PM

Saw this coming 15 years ago when the US lost the ability to make PGA’s and other microcircuits for its spy satellites! The approach was hardware state “validation” versus hidden circuits… So, ya. This makes sense.

Celos • July 21, 2025 8:30 PM

That this is international is only part of the problem. The second part is that these “escorts” were sold as actually accomplishing something, when they do not and cannot. I also have no doubt that Microsoft was fully aware of that and just wanted the money.

Clive Robinson • July 22, 2025 6:00 AM

@ Bruce, ALL,

Another serious Microsoft Vulnerability Hacked

Just up in the news yesterday,

https://www.independent.co.uk/news/world/americas/us-politics/microsoft-sharepoint-hack-government-agencies-b2792934.html

Is that US State agencies and thousands of servers running Microsoft Sharepoint have been attacked successfully via a Zero Day that MS has just issued a patch for only one version so far,

“By obtaining access to internal servers, the hackers may have been able to steal sensitive data from connected Outlook and Teams accounts, including passwords, as well as cryptographic keys to allow them back in. Cloud-based services are not thought to have been compromised.

Microsoft has already issued one patch to address the vulnerability but, at the time of writing, two more versions of SharePoint were still awaiting custom patches of their own.”

It appears that the vulnerability has been there for quite some time, as the attackers were clued up by a Microsoft patch,

“According to Marci McCarthy, spokesperson for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the hack came after Microsoft fixed a security flaw in SharePoint earlier this month, which inadvertently alerted the hackers that they might be able to exploit a similar vulnerability.”

To say the old quote,

“Once you have erred, no matter what you do, ‘you are damned if you do, and damned if you don’t’.”

Might seem to be ‘rubbing salt in’ but consider even Bill Gates once got upset because of the way Microsoft Software was full of vulnerabilities. So he changed the way things were done…

Maybe he should ‘pop back into the office to do the same again’.

Clive Robinson • July 22, 2025 5:21 PM

@ Bruce, ALL,

A more indepth set of information on the MS SharePoint vulnerability,

https://www.theregister.com/2025/07/21/massive_security_snafu_microsoft/

An interesting bit,

‘US Senator Ron Wyden (D-OR), a frequent critic of Microsoft and the tech industry in general, decried Redmond’s lackadaisical response to the incident so far: “Government agencies have become dependent on a company that not only doesn’t care about security, but is making billions of dollars selling premium cybersecurity services to address the flaws in its products. Each hack caused by Microsoft’s negligence results in increased government spending on Microsoft cybersecurity services. The government will never escape this cycle unless it stops rewarding Microsoft for its negligence with bigger and bigger contracts.”‘

Hmm…

The article also has a one liner of,

“It’s probably going to get much worse.”

Some might think “Many a word spoken in jest” untill they read,

UK uncovers novel Microsoft snooping malware, blames and sanctions GRU cyberspies

https://www.theregister.com/2025/07/20/uk_microsoft_snooping_russia/

Which is yet another Microsoft SNAFU fitting right in with Senator Ron Wyden’s observations…

“The UK government is warning that Russia’s APT28 (also known as Fancy Bear or Forest Blizzard) has been deploying previously unknown malware to harvest Microsoft email credentials and steal access to compromised accounts.”

What’s the betting on another Microsoft SNAFU before the months out?

andyinsdca • July 22, 2025 8:12 PM

Microsoft may have gotten rid of all of the Chinese employees working on Azure for the USG, but the Chinese probably put in tons of backdoors while they were there. There’s no way that the PRC wouldn’t take advantage of an opportunity like this. This is bigger than Kim Philby.

lurker • July 22, 2025 9:04 PM

Contemplating the madness of crowds[1] there is a possibility thet Microsoft may inadvertently bring about World Peace through the collapse of the Nation State, that is those nation states that still believe MS is the solution and not the problem.

[1] Madness is the continual repeating of the same mistake, expecting a different result. Misattributed to A.Einstein

Winter • July 23, 2025 5:02 AM

@lurker

Contemplating the madness of crowds[1]

In addition to the Einstein quote, I would advice readers to consult the original Memoires of Extraordinary Popular Delusions and the Madness of Crowds by Charles Mackay available at the Gutenberg project [1].

There have been modern sequels by other authors.

[1] ‘https://www.gutenberg.org/files/24518/24518-h/24518-h.htm

Winter • July 23, 2025 5:20 AM

@lurker (continued)

There is a second volume of Memoires of Extraordinary Popular Delusions and the Madness of Crowds by Charles Mackay that is not included in the earlier link.

Here is the link including both volumes:

‘https://www.gutenberg.org/ebooks/24518

Jim Brown • July 23, 2025 5:48 AM

Talking of spies, don’t miss Beyond Enkription by Bill Fairclough. It is the inaugural novel in The Burlington Files biographical series comprising six books. It is a fact-based espionage thriller that uncompromisingly defies the conventions of the genre. Not only is it sui generis, but it also redefines the very expectations readers may bring to a spy novel. Set in 1974 and rooted in the author’s real life experience as a covert MI6 and CIA agent, the narrative follows Edward Burlington, an ostensibly unremarkable British accountant, whose life unravels into a perilous web of international espionage and organised crime.

Edward Burlington (aka Bill Fairclough) is no James Bond or George Smiley albeit he occasionally ignites memories of a posh version of Len Deighton’s Harry Palmer. In fact, this novel positions itself as a corrective to Bond and Bourne, eschewing fantasy and languor for a tone that is at once noir, cerebral, and viscerally real. This is not mere fiction inspired by espionage tropes, but a story shaped by the clandestine brutality of actual operations. The narrative is replete with death-defying episodes, credible operational detail and haunting portrayals of duplicity both institutional and interpersonal.

One of the book’s greatest strengths lies in its authenticity. Fairclough’s account of infiltration into smuggling networks, his encounters with the TonTon Macoute and his entanglement in CIA counter-intelligence operations lend an air of legitimacy no fictional creation could replicate. This realism is further amplified by the emergence of corroborating articles on TheBurlingtonFiles website, revealing that Beyond Enkription has become mandatory reading in some state intelligence training programmes. That is a remarkable testament to its value as a quasi-instructional text.

However, this fidelity to fact can also be a double-edged sword. The prose, while taut and efficient, can appear stylistically raw to readers conditioned by the polished elegance of le Carré’s diction. Chapter One, in particular, with its grisly authentic scenes of torture and smuggling, may prove challenging for the squeamish. Yet the reward for perseverance is a richly layered plot that not only intrigues but gains intensity and complexity with every chapter.

Characterisation is robust and nuanced. Figures such as Sara Burlington evolve from shadows into full-bodied presences. Even villains elicit admiration or sympathy as the narrative deepens. Fairclough excels in rendering the psychological strain of espionage, the ambiguity of allegiance and the profound isolation of living a double life.

Talking of double lives, it’s literally breathtaking that while operating for MI6 and the CIA Fairclough was also successful in his career as a Chartered Accountant and never got caught whenever his double life merged into one. Not many if any secret agents have attained so much simultaneously. Somehow, albeit understandably, in the 1970s he was to reach the top echelons of Coopers & Lybrand (now PwC) where he was appointed secretary to their global Executive Committee. Thereafter in the 1980s and later he became either a director or VP in the Citi, Barclays and Reuters groups.

Clive Robinson • July 23, 2025 6:06 AM

@ lurker, Winter,

With regards,

“Madness is the continual repeating of the same mistake, expecting a different result.”

And applying it to “crowds” is oft attributed to being a cause of “Conspiracy Theories” and the more modern “echo chambers” and the like.

Where what are very definitely fringe individuals that previously pre Internet would have been singletons can now gather in sufficient numbers to form a crowd.

This causes amongst other things “in-group, out-group” behaviours by what was thought to be self re-enforcement behaviours.

However some are thinking in other directions, that you possibly might think are valid but might not…

As an example have a read of,

https://arstechnica.com/science/2025/07/conspiracy-theorists-think-their-views-are-mainstream/

If you get to the end without feeling the need to scratch your head or pull your hair out let me know 😉

Winter • July 23, 2025 11:12 AM

@Clive

If you get to the end without feeling the need to scratch your head or pull your hair out let me know 😉

I’ve read only a few of the theorizing around the followed of conspiracy theories. But no one seems to understand the whole of it.

What struck me was:

Religion and conspiracy theories are much more alike, and sometimes, are identical. It always boils down to faith.
We think Knowledge is Power, every Conspiracy is based on the reverse causality, that Power dictates Knowledge, there is only power, no “facts”
A Conspiracy Believe depends only on who you want to trust, or believe. It is not about the message, truth, but about the messenger (see religion)

sam • July 31, 2025 2:28 AM

Great guide! I really appreciated the step-by-step instructions without needing to use the terminal. As someone new to Ubuntu, it was super helpful to see how simple the installation process can be using the Software Center. VeraCrypt is a must-have for anyone serious about protecting their data—thanks for making it so approachable!

Clive Robinson • August 21, 2025 11:15 AM

@ Winter, lurker,

We joke about,

“dmDoing the same thing over and over and expecting different results”

But is it madness or the observer not understanding.

I worked in an office once where one of my co-workers just kept looking up sort of doing a sigh crossed with a tut. She caught a different train to me so we left at different times. It was only by chance I was working late, and she’d already left and her desk phone rang. So I grabbed it to take a message and in the process ended up siting down to search for a pencil and scrap of paper. It was whilst doing this I saw there was a tight sight line to a clock on the wall in the lab on the other side of the corridor. Move your head even slightly and you could not see the clock.

I then realised Her glancing was just good old fashioned “clock watching”… So Her sigh and tut was I guess due to the disappointment of how the day dragged on.

So not madness just “the human condition” grinding on… Which brings up,

“We think Knowledge is Power”

It is but only if you have,

1, Sufficient Understanding
2, Sufficient time
3, Sufficient agency.

It is kind of the reverse view of accidents. For some reason people think,

“accident = act of God”

Or similar. personally I don’t believe in accidents or deities.

I view an accident as an “event” where the laws of physics apply as you would expect.

But you do not have

1, Sufficient time
2, Sufficient information
3, Sufficient physical ability

To take preventative action.

But as you note humans get it backwards, because of “cognitive conditioning” or if you prefere “brain washing” by Church / State / Education.

There is a reason why religion concentrates on Women / Mothers. It’s so they can get in the childs mind before the child has mental self defences. The religion knows that in the main women control the home not the men. The person who controls the home mostly controls the family close in.

So two things follow,

1, Women are those that are in effect controlled by the church men / priests.

2, The priests are not allowed to marry so they are less influenced.

But there is a third reason which is “succession of power”. If a priest does not have children then their behaviour is more constrained.

Thus the right of succession is for the nobles not the priests, the commoners or for women (unless unmarried and childless).

One of the most important scams in religion is the God and Godhead alleged relationship. A god supposedly dictates to man through the godhead (king). Thus anything the godhead dictates is not them but the god speaking through them… Thus the godhead is not responsible any more than any other messenger.

But… The religious leader controls how the godheads message gets disseminated through the priesthood to the entirety of the godheads realm. Which gives the religious leader immense control and the advantages that brings. But also none or at most few of the disadvantages…

With children taught by mothers to go down on the knee to priests as the voice of god through the godhead, church, and priesthood, they were like members of a cult brainwashed beyond even belief… Thus “the question of “Who do you trust? And “What is truth?” Just don’t arise. And where it does declaring an awkward individual a heretic and having them killed both painfully and publicly stops the questions needing to being answered or getting asked again…

Another Supply Chain Vulnerability

Comments

Leave a comment Cancel reply