A new investigation reveals that Microsoft has been quietly relying on engineers based in China to help manage some of the Pentagon’s most sensitive cloud computing systems — an arrangement cybersecurity experts say could leave U.S. national defense wide open to Chinese espionage.

According to ProPublica, Microsoft sidestepped federal rules that bar foreign nationals from directly accessing classified or sensitive government networks by using “digital escorts” — U.S.-based workers with security clearances — to serve as middlemen. These escorts, who often lack the technical training to fully understand the work they’re doing, input code written by Chinese engineers into critical Department of Defense systems.

This workaround has allegedly been in place for over a decade and only recently came to light. While Microsoft insists these foreign engineers have no direct access to U.S. data, insiders say the risk is enormous — especially given that the engineers’ instructions are being entered without review by escorts who “have no idea” what the scripts actually do.

“We’re trusting that what they’re doing isn’t malicious, but we really can’t tell,” one escort working for Microsoft contractor Insight Global told ProPublica. These workers, often paid around $18 an hour, are tasked with manually copying and pasting commands from China-based engineers into systems containing “high impact level” data — the kind that, if compromised, could cause catastrophic damage to national security.

“If I were an operative, I would look at that as an avenue for extremely valuable access,” warned Harry Coker, a former senior executive at both the CIA and NSA.

Microsoft says it maintains robust safeguards, including approval workflows, automated code reviews, and strict monitoring to prevent potential abuse. In a statement, the company said it assumes any system user could be a threat and has designed “layers of mitigation” to account for that.

But critics remain skeptical. ProPublica’s report shows that even former Microsoft employees raised red flags about the escort program — especially since the engineers in China appear to have deep insight into system architectures that could be exploited if they turned rogue.

One former engineer stated bluntly: “If someone ran a script called ‘fix_servers.sh’ but it actually did something malicious, [escorts] would have no idea.”

The story arrives on the heels of multiple serious breaches tied to Chinese cyber operations. In 2023, Chinese hackers infiltrated the email systems of both the U.S. Commerce and State Departments — a breach ultimately linked to a Microsoft security lapse. The idea that Chinese engineers may now be indirectly controlling Pentagon cloud infrastructure raises red flags for many on Capitol Hill and within the intelligence community.

Even top former officials were blindsided. John Sherman, who served as chief information officer for the Department of Defense, admitted, “I probably should have known about this.”

To make matters worse, U.S. law offers little protection against China’s internal data collection practices. Experts note that under Chinese law, the Communist Party can compel private companies and individuals to hand over data at any time. “It would be difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement,” said Jeremy Daum of Yale Law School’s Paul Tsai China Center.

The Pentagon has yet to comment on the revelations. But with growing concern over China’s aggressive push to dominate cyberspace, this report is certain to add fuel to the fire — especially with a presidential administration that has made cracking down on foreign influence a central policy goal.

For now, the American people are left with a troubling question: Who’s really maintaining our most secure systems — and who’s watching them?