What used to be a joke about hackers breaching Pentagon servers has turned into a disturbing reality. Ten years ago, in a move to save money and improve efficiency, the U.S. Department of Defense decided to outsource its cloud infrastructure to Microsoft. To make that possible, the Pentagon even changed rules regarding access to classified data. From then on, access could be granted not only to active military personnel but also to American civilians.
Then came the IT industry's most familiar practice: outsourcing. The contractor hires a subcontractor, who hires another one — often overseas. In this case, Chinese programmers ended up doing the work.
Read more: U.S. Sells NASAMS Systems to Egypt Amid Shifting Dynamics in the Middle East
This entire situation was uncovered by ProPublica in an investigation that outlines the mechanics of what might be one of the most catastrophic cybersecurity failures in U.S. military history.
The information was confirmed by U.S. Defense Secretary Pete Hegseth himself. He acknowledged the use of Chinese labor, the resulting "potential vulnerability," and confirmed that a full review of all Pentagon digital systems is now underway.
Defense Express will briefly summarise what appears to be the biggest failure of US information security.
After winning the contract to handle the Pentagon's cloud infrastructure — including server hosting, data processing systems, and classified software tools — Microsoft hired subcontractors. One of them was Insight Global. But Insight Global then outsourced some of the work outside the U.S., sidestepping national security controls.
Access to classified material was handled through a workaround called "digital escort." These were U.S. citizens, often former military or government employees, who had the required security clearance. Their job was to pass programming tasks to outsourced developers in China and deliver the finished code back.
Job postings for these "digital escort" roles emphasized the need for a clearance to handle restricted government information. Actual programming skills were listed merely as "preferred," not required. The pay was just $18 per hour — significantly below market rates, where even entry-level developers typically earn $30 or more.
In practice, the escorts simply relayed assignments and returned the completed code — without being technically capable of reviewing or validating it. And neither Insight Global nor Microsoft conducted proper code audits or oversight.
Microsoft claims the "digital escort" model was outlined in the cloud project documentation, but that documentation is not public. It also seems the Pentagon didn't fully understand the implications of the arrangement.
The most serious concern now: after a decade of such outsourcing, no one knows for sure what exactly was coded by the Chinese programmers — or whether backdoors and other tools for unauthorized access have been embedded into the Pentagon's digital ecosystem.
Read more: Doomsday Plane Developer Will Help Ukraine Set Up Air Defense Maintenance Hub
