President Donald Trump signed into regulation this month a measure that prohibits anybody based mostly in China and different adversarial international locations from accessing the Pentagon’s cloud computing techniques.
The ban, which is tucked contained in the $900 billion protection coverage regulation, was enacted in response to a ProPublica investigation this 12 months that uncovered how Microsoft used China-based engineers to service the Protection Division’s laptop techniques for almost a decade — a follow that left a number of the nation’s most delicate information susceptible to hacking from its main cyber adversary.
U.S.-based supervisors, generally known as “digital escorts,” have been presupposed to function a verify on these international staff, however we discovered they usually lacked the experience wanted to successfully supervise engineers with way more superior technical expertise.
Within the wake of the reporting, main members of Congress known as on the Protection Division to strengthen its safety necessities whereas blasting Microsoft for what some Republicans known as “a nationwide betrayal.” Cybersecurity and intelligence consultants have informed ProPublica that the association posed main dangers to nationwide safety, provided that legal guidelines in China grant the nation’s officers broad authority to gather information.
Microsoft pledged in July to cease utilizing China-based engineers to service Pentagon cloud techniques after Protection Secretary Pete Hegseth publicly condemned the follow. “International engineers — from any nation, together with in fact China — ought to NEVER be allowed to keep up or entry DoD techniques,” Hegseth wrote on X.
In September, the Pentagon up to date its cybersecurity necessities for tech contractors, banning IT distributors from utilizing China-based personnel to work on Protection Division laptop techniques. The brand new regulation successfully codifies that change, requiring Hegseth to ban people from China, Russia, Iran and North Korea from having direct or oblique entry to Protection Division cloud computing techniques.
Microsoft declined to touch upon the brand new regulation. Following the sooner modifications, a spokesperson mentioned the corporate would “work with our nationwide safety companions to guage and modify our safety protocols in gentle of the brand new directives.”
Rep. Elise Stefanik, a Republican who serves on the Home Armed Service Committee, celebrated the event, saying it “closes contractor loopholes … following the invention that firms like Microsoft exploited” them. Sen. Tom Cotton, the GOP chair of the Senate Choose Committee on Intelligence who has been crucial of the tech large, additionally heralded the laws, saying it “contains much-needed efforts to guard our nation’s crucial infrastructure, which is threatened by Communist China and different international adversaries.”
The laws additionally bolsters congressional oversight of the Pentagon’s cybersecurity practices, mandating that the secretary temporary the congressional protection committees on the modifications no later than June 1, 2026. After that, such briefings will happen yearly for the following three years, together with updates on the “effectiveness of controls, safety incidents, and suggestions for legislative or administrative motion.”
As ProPublica reported, Microsoft initially developed the digital escort program as a work-around to a Protection Division requirement that individuals dealing with delicate information be U.S. residents or everlasting residents.
The corporate has maintained that it disclosed this system to the Pentagon and that escorts have been offered “particular coaching on defending delicate information” and stopping hurt. However high Pentagon officers have mentioned they have been unaware of Microsoft’s program till ProPublica’s reporting.
A replica of the safety plan that the corporate submitted to the Protection Division in 2025 confirmed Microsoft disregarded key particulars of the escort program, making no reference to its China-based operations or international engineers in any respect.
This summer season, Hegseth introduced that the division had opened an investigation into whether or not any of Microsoft’s China-based engineers had compromised nationwide safety. He additionally ordered a brand new third-party audit of the corporate’s digital-escort program. The Pentagon didn’t reply to a request for touch upon the standing of these inquiries.
