Trump Signs Defense Bill Prohibiting China-Based Engineers in Pentagon IT Work (propublica.org) 32
President Donald Trump signed into law this month a measure that prohibits anyone based in China and other adversarial countries from accessing the Pentagon's cloud computing systems. From a report: The ban, which is tucked inside the $900 billion defense policy law, was enacted in response to a ProPublica investigation this year that exposed how Microsoft used China-based engineers to service the Defense Department's computer systems for nearly a decade -- a practice that left some of the country's most sensitive data vulnerable to hacking from its leading cyber adversary.
U.S.-based supervisors, known as "digital escorts," were supposed to serve as a check on these foreign employees, but we found they often lacked the expertise needed to effectively supervise engineers with far more advanced technical skills. In the wake of the reporting, leading members of Congress called on the Defense Department to strengthen its security requirements while blasting Microsoft for what some Republicans called "a national betrayal." Cybersecurity and intelligence experts have told ProPublica that the arrangement posed major risks to national security, given that laws in China grant the country's officials broad authority to collect data.
U.S.-based supervisors, known as "digital escorts," were supposed to serve as a check on these foreign employees, but we found they often lacked the expertise needed to effectively supervise engineers with far more advanced technical skills. In the wake of the reporting, leading members of Congress called on the Defense Department to strengthen its security requirements while blasting Microsoft for what some Republicans called "a national betrayal." Cybersecurity and intelligence experts have told ProPublica that the arrangement posed major risks to national security, given that laws in China grant the country's officials broad authority to collect data.
nice job keep the PHB's in the USA while the real (Score:1)
nice job keep the PHB's in the USA while the real tech people are offshored
Wait, what? (Score:5, Insightful)
"ProPublica investigation this year that exposed how Microsoft used China-based engineers to service the Defense Department's computer systems for nearly a decade"
MS let foreign employees service DoD systems? I can't even begin to fathom how this is even remotely possible. Is there a CCP mule leading services at MS? If not, there should be a congressional hearing on this, because this level of incompetence is really inexcusable.
Re:Wait, what? (Score:4, Insightful)
MS let foreign employees service DoD systems?
Yes, and they will do it again, because it earns them a little more profit, and that is the only thing that counts for corporations of that size. May may hide the outsourcing a little better next time for PR reasons, like adding another layer of "domestic person A being the contractor, but relaying everything to/from N cheaper employees abroad".
Re:Wait, what? (Score:5, Insightful)
From ProPublica [propublica.org]:
The arrangement, which was critical to Microsoft winning the federal government’s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.
But these workers, known as “digital escorts,” often lack the technical expertise to police the work of foreign engineers with far more advanced skills, ProPublica found.
So there was a loophole in the rules. And of course they're doing this to save money, so the Americans they hired weren't highly technical and probably can't identify attempts at subterfuge.
I mean even if someone very technical was there the perform the supervision, it would still be hard to defend against a persistent attacker.
Re: (Score:2, Flamebait)
The bar really has been lowered for fucking up.
Re: Wait, what? (Score:4, Informative)
Uh, to be clear, the current administration is stopping the practice.
President Donald Trump signed into law this month a measure that prohibits anyone based in China and other adversarial countries from accessing the Pentagon's cloud computing systems.
How about foreign nationals living in ANY adversarial country (including China) not be allowed to work on anything related to national defense? If they can't even bother to move to the U.S. let's keep them away from our defense systems? OK?
Re: (Score:2, Interesting)
Re: (Score:3)
One small problem with that. Plenty of them would love to move to the US, however a core component of the Trump regime is to end immigration of any kind. Visas are being revoked left and right. Mass deportations. Banning of other visas. Insane border checks (5 years of social media plus personal info on all relatives). The Reich under Stephen Miller is gunning for their all white America.
It has been now for many years that if you are Chinese, there is a really good chance that the Chinese government is compelling you to share information. I mean, it would be a shame if your relatives were to suffer adversity.
You might find it a plus in your book if secrets were relayed, but I suppose you might feel differently if your country had workers in classified work sending your countries state secrets to China - or perhaps you would like even less of your countries secrets went to the USA - eh?
Re:Wait, what? (Score:4, Informative)
"ProPublica investigation this year that exposed how Microsoft used China-based engineers to service the Defense Department's computer systems for nearly a decade"
MS let foreign employees service DoD systems? I can't even begin to fathom how this is even remotely possible. Is there a CCP mule leading services at MS? If not, there should be a congressional hearing on this, because this level of incompetence is really inexcusable.
NIST 800-53 pre-dates NIST 800-171 pre-dates CMMC. And I'd have to believe that Controlled Unclassified Information (CUI) is the bare minimum standard when talking about "Pentagon" related InfoSec guardrails.
Microsoft's GC Cloud mandating US citizen based support has been around for years now. I have no idea why the hell the Pentagon of all places would be skimping on these mandates, but I can tell you that skimping is quite rampant among defense contractors. Two years after implementing 800-171, a study found 98% of contractors were still not fully compliant.
So I've got good news and bad news (Score:1, Troll)
The bad news is that the reason there is no security risk is the modern ruling class is a global class and they're all working together to fuck you in the ass. So there isn't any actual risk among major countries because they're all in the same club together.
You are not in that club. Statistically you probably believe that you are. And even if intellectually you know you're not you probably vote like you are. Again statistically.
Re: (Score:2)
Indeed. Absolutely incredible. Whoever negotiated those contracts belongs in prison for treason. I mean, this is not even about China. You do not allow foreign access to your secret-level government IT infrastructure, period. But I guess MS pays really good bribes.
Wait! What? (Score:2)
Aren't jobs like these reserved for H-1B Indian contractors?
But... (Score:3)
But Russia's OK.
Re: (Score:2)
But Russia's OK.
I know Fortune 500 companies that are outspoken against Russia's war against Ukraine in public, and at the same time hire cheap Russians that reached western countries mere months ago (and they are certainly not "fugitives"). Virtue signaling is cheap, but there is money to save on wages, morals and security be damned.
I am surprised ... (Score:2)
that this was not already the case.
Re: (Score:2)
Off-topic, but... (Score:5, Insightful)
So USA only? (Score:5, Insightful)
President Donald Trump signed into law this month a measure that prohibits anyone based in China and other adversarial countries from accessing the Pentagon's cloud computing systems.
So that would be every country on the planet, except the USA and maybe Russia?
ITAR (Score:3)
https://en.wikipedia.org/wiki/... [wikipedia.org]
Probably a good idea! (Score:2)
ProPublica does good work (Score:4, Insightful)
And no matter what aisle you sit on they are worth reading, we complain about the news so much but they are an org that is on the ground breaking stories.
Also nothing wrong with this legislation and really the next step I'd prefer to see is the DoD develop the skill-set and human capital that it manage these systems themselves and they don't need the services of a Microsoft or an Amazon. Isn't there or shouldn't there be an IT equivalent to Army Corp of Engineers?
and when MS cuts off self hosted? or when the DOD (Score:2)
and when MS cuts off self hosted? or when the DOD runs the building bill for their own data center
Re: (Score:2)
Obviously the DoD and all government ideally should be Linux I would say, and that's from someone who really like Windows.
Re: (Score:2)
they likely are stuck on lots of windows only software
Re: (Score:2)
Sure but like everything at the Pentagon this would have to be like a 10+ year project, and yeah it'd never be 100%.
But it should be policy from here on out, it really makes a lot of sense to have a "sovereign" OS and you know, we all pay enough MS taxes directly as it is.
A league of our own (Score:2)
We're losing the game we created, so we're creating a new league where we can again be the winners.
Only 900 Billion (Score:2)
Thats not enough to build one of those Battleships