Defense Secretary Pete Hegseth publicly declared that foreign engineers from any country should never be allowed to maintain or access DoD systems, launched a review, and, within weeks, announced that the use of Chinese nationals to service Defense Department cloud environments was over.
In July 2025, ProPublica revealed something that stunned even veteran national security officials: for nearly a decade, Microsoft used engineers based in China to help maintain some of the U.S. Defense Department's most sensitive cloud systems.
The workaround was called a "digital escort" program. Because federal rules require that people handling sensitive government data be U.S. citizens or permanent residents with proper screening, Microsoft's foreign engineers couldn't touch these systems directly.
So Microsoft hired U.S. citizens with security clearances, some paid as little as $18 an hour, many with little to no coding experience, to sit in the middle. A China-based engineer would dictate technical commands over a Teams call, and the escort would copy and paste them into the federal cloud.
The problem, as ProPublica documented, is that the escorts often had no way to know what they were actually executing. One escort admitted the team was essentially trusting that the commands weren't malicious, because they couldn't tell either way. A former Microsoft engineer who helped build the system conceded that if a script was named something innocuous but did something malicious, the escort would have no idea.
This was a system Microsoft designed deliberately because hiring an all-U.S. workforce to maintain the federal cloud was deemed too expensive. Microsoft later confirmed a similar escorting arrangement was used in its Government Community Cloud (GCC) - the same cloud environment that serves state and local government customers, including law enforcement agencies.
Washington's response tells you everything about how serious this was:
In December 2025, the President signed a defense policy law that prohibits individuals based in China, Russia, Iran, and North Korea from having direct or indirect access to Defense Department cloud systems, codifying the ban and closing the escort loophole for good.
Notably, when ProPublica asked other major cloud providers whether they operated similar programs, AWS stated plainly that it does not use personnel in China to support federal contracts.
Police departments don't run the Pentagon's cloud, but they face the same core question: when a vendor touches your data, who is actually doing the work, and can they pass the background checks your data requires?
That question sits at the heart of the FBI's CJIS Security Policy. Criminal Justice Information -incident reports, criminal histories, BWC footage, investigative files - is subject to strict personnel screening requirements, including fingerprint-based background checks for anyone with access. Those safeguards only work if you know who's really behind the curtain.
The digital escort scandal proved that a vendor can hold every certification on paper while quietly routing hands-on keyboard work through personnel who could never pass your screening requirements. Microsoft's own security plan submitted to the Defense Department did not refer to its China-based operations at all.
The lesson for agencies evaluating AI and cloud vendors: compliance logos aren't enough. You have to ask where the infrastructure lives, who develops the software, and who provides support, where they are located, and whether they are U.S. citizens.
We built TRULEO to be the most secure, American-made AI platform for law enforcement from day one.
The digital escort program survived for nearly a decade across three presidential administrations because nobody asked the right question. Don't let your agency make the same mistake. Before you sign your next technology contract, ask:
TRULEO will answer all four in writing, with audit documentation to back them up.
See our full security posture at truleo.co/security or schedule a presentation to talk with our team.
Sources: ProPublica, "A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers" (July 2025); ProPublica, "Microsoft Used China-Based Support for Multiple U.S. Agencies" (July 2025); ProPublica, "Pentagon Warns Microsoft: Company's Use of China-Based Engineers Was a 'Breach of Trust'" (August 2025); ProPublica, "Trump Signs Bill Banning Use of China-Based Engineers on Pentagon Computers" (December 2025).