- Malicious code injection: Escorts could unknowingly execute scripts that compromised system integrity.
- Espionage potential: Chinese engineers had visibility into system architecture and workflows, offering a vector for intelligence collection.
- Compliance laundering: The escort model allowed Microsoft to technically meet federal requirements while sidestepping their intent.
Harry Coker, former CIA and NSA executive, called the program a “natural opportunity for spies.” Jeremy Daum of Yale Law School emphasized that Chinese law makes it difficult for citizens or companies to resist government data requests, “That’s the risk baked into cross-border support.”
As a long-in-the-tooth former HUMINT officer myself, I’ll say it plainly: If I had created a channel where trusted insiders piped code into systems of interest, I’d have created an intelligence superhighway, one so efficient and self-sustaining, it would rival the infamous self-licking ice cream cone. Elegance is the cover: plausible cyber administrative or compliance tasks.
In Microsoft’s defense and based on the broad lack of knowledge within the DoD, there doesn’t seem to have been any guardrails to prevent this from occurring as former DoD CIO John Sherman during the Biden administration told ProPublica, “I probably should have known about this.” He opined that the system is a major security risk for the department and called for a “thorough review by DISA, Cyber Command, and other stakeholders.”
