Last week, US Defense Secretary Pete Hegseth issued a directive requiring the Pentagon’s Chief Information Officer (CIO) to take additional measures to ensure that the Department of Defense’s information systems are protected from infiltration by major adversarial foreign nations.
Hegseth’s directive was made public for the first time this Tuesday, July 22. Prior to this, a report by ProPublica detailed how Microsoft utilized Chinese engineers working on US military cloud computing systems, supervised through American “digital escorts” employed by subcontractors. These subcontractors held security clearances, but lacked the technical capability to assess whether the work of Chinese engineers posed a cybersecurity threat.
While Hegseth’s directive did not provide specific details, it instructed the CIO to “immediately take action, with the assistance of key officials from relevant Department of Defense departments, to ensure that all information data systems developed and procured for the Department of Defense (including cloud services) undergo review and verification to withstand hacker attacks from adversarial nations such as China and Russia.” These departments include Acquisition and Sustainment, Intelligence and Security, and Engineering.
Last Friday, Hegseth mentioned his directive for the first time in a video posted on X, where he stated that “some tech companies have been using cheap Chinese technical workers to support the Department of Defense’s cloud service systems.” He called for a “two-week review” to ensure that such incidents do not occur in other information technology service chains within the Department of Defense.
While the Defense Secretary did not expressly name Microsoft in the video or memorandum, a Microsoft spokesperson later publicly stated that the company had made adjustments to “ensure that no Chinese engineering teams are providing technical support for Department of Defense government cloud and related services.”
“Especially in today’s environment where digital technology is under threat, this is clearly unacceptable,” Hegseth stated in the video last Friday.
He added, “We must ensure that the digital information systems used by the Department of Defense are resilient, which is why today I announce that China will no longer be involved in any way in our cloud services.”
Hegseth urged the Department of Defense to “strengthen security protections within the existing projects and processes of the Defense Industrial Base (DIB) to eliminate or mitigate possible infiltration by adversarial foreign nations, and identify additional measures that may need to be taken to address these potential risks.” Specifically, the directive requires systems to achieve Cybersecurity Maturity Model Certification (CMMC).
Earlier last Friday, Arkansas Republican Senator Tom Cotton, chairman of the Senate Intelligence Committee and a member of the Armed Services Committee, sent a letter to Defense Secretary Hegseth questioning the reports related to Microsoft. Cotton requested the US military to provide a list of contractors using Chinese personnel and more information on how American “digital escorts” are trained to detect suspicious activities.
Within 15 days of the signing of the directive, the Office of the Department of Defense Chief Information Officer must issue additional implementation guidance on this matter, led by the department’s Chief Information Security Officer Dave McKeown.
Additionally, the directive calls for the Deputy Secretary of Defense responsible for intelligence and security to “as much as possible, review personnel and organizations providing services to the Defense Intelligence Agency and cloud services to determine if they pose potential security threats.”