Sen. Tom Cotton (R-Ark.) has requested details from the Pentagon regarding the extent of information shared with Chinese engineers involved in a Microsoft cloud services contract.
Cotton, chairman of the Senate Select Committee on Intelligence, sent a letter to Defense Secretary Pete Hegseth dated July 24 requesting findings from an internal two-week review announced by the Pentagon chief on July 18.
Hegseth ordered the review after finding out that some technology companies had been using “cheap Chinese labor” to assist with the Pentagon’s cloud services, according to his video message posted on X. He added that the vulnerability was found on a “legacy system created over a decade ago during the Obama administration.”
On the same day that Hegseth issued the order, Microsoft announced that it had ended the practice of using China-based engineers to provide technical support for maintaining the Pentagon’s cloud system. The engineers were allegedly supervised by U.S. citizens acting as so-called digital escorts to oversee their activities.
Cotton asked Hegseth to specify the services provided by the Chinese engineers and to detail what information or data they accessed.
The senator also asked how often Microsoft and other providers that used the “digital escort model” carried out self-audits, and what the results of the audits were.
Hegseth was also asked to disclose “any discovery of potential security incidents or malicious events that have already occurred or are likely to occur,” according to the letter.
Cotton also wanted Hegseth to provide “all security classification guides provided to Microsoft or other contractors under the Joint Warfighting Cloud Capability (JWCC) program.”
Amazon, Google, Microsoft, and Oracle were awarded cloud contracts valued at up to $9 billion in total in 2022 to build the JWCC, which would provide cloud services across all security and classification levels.
The senator also requested information on the Pentagon’s plans to implement a department-wide review of contracting practices and guidelines to prevent a contractor from exploiting loopholes that could compromise the security of its systems.
Cotton expressed concerns, even though Hegseth ordered the review, quoting the defense secretary as saying, “China will no longer have any involvement in our cloud services, effective immediately.”
“While I applaud your actions, I am concerned that the Department is hampered by agreements and practices unwisely adopted by your predecessors, including contracts and oversight processes that fail to account for the growing Chinese threat,” the senator wrote in his letter.
“As we learn more about these ‘digital escorts’ and other unwise—and outrageous—practices used by some DoD partners, it is clear the Department and Congress will need to take further action.
“We must put in place the protocols and processes to adopt innovative technology quickly, effectively, and safely.”
On July 22, Microsoft announced in a blog post that cyberattacks targeting SharePoint servers used by organizations were carried out by Chinese regime-linked hacking groups Linen Typhoon and Violet Typhoon, as well as China-based threat actor Storm-2603.
Microsoft updated its blog post a day later, saying that there had been more than 400 victims due to the SharePoint hacking.
Cotton has taken multiple actions this year to address cybersecurity threats posed by foreign adversaries.
In May, Cotton led a bicameral group of lawmakers in sending a letter to Commerce Secretary Howard Lutnick, urging him to ban the sales of networking equipment from TP-Link, saying that the company has “deep ties” to the Chinese Communist Party.
In the same month, Cotton and Sen. Ruben Gallego (D-Ariz.) introduced the Water Cybersecurity Enhancement Act. The bill aims to support public water systems by providing technical assistance and grants for training and guidance on cybersecurity preparedness and response.
Cotton and Sen. Elissa Slotkin (D-Mich.) introduced the Farm and Food Cybersecurity Act in February. If enacted, the legislation would require the secretary of agriculture to identify cyber threats and vulnerabilities connected to agriculture and food sectors in a report submitted to Congress.
Friends Read Free
Copy
Facebook
Tweet
