Yeah it seems like there are two issues here being conflated. The first is that non-US-persons are operating, by proxy, Azure assets that serve US Gov missions. The second is that those persons may be operating assets used in sensitive missions. Say IL4 and up.

The first is a little embarrassing for Microsoft, but a venal sin, not a mortal one. Makes them look like cheapskates offshoring work, instead of training local workers, but Ok, fine.

The second would be a mortal sin, assuming ( its not clear from the article whether) these non-US people are really operating at IL4 and up. Those assets really need US people especially at the higher impact levels. All of the above is public info described in FedRAMP standards.

How does the vendor make sure you're not doing anything malicious if they don't have the skills to understand the change?

It sounds like the issue here isn't that the vendor doing the escort is a Chinese national, it's that the engineer making the change is a Chinese national in China and they're using this escort system to check a box saying that because the changes themselves are being made by US nationals, they won't send PII or passwords back to China. But fundamentally a system where an untrusted person gets a less technical person to make a change for them seems inherently extremely high-risk.

> The government is totally aware of where the operator boundary lies and this is still wildly mischaracterized.

Regardless of the program’s actual risk, it doesn’t seem that the government is fully aware of the program’s very existence. The article quotes the former CIO of the Pentagon as being surprised:

> John Sherman, who was chief information officer for the Department of Defense during the Biden administration, said he was surprised and concerned to learn of ProPublica’s findings. “I probably should have known about this,” he said. He told the news organization that the situation warrants a “thorough review by DISA, Cyber Command and other stakeholders that are involved in this.”

Secret is still sensitive info and, if released, can cause harm or disruption.

Spying is not based on finding a single discovery of top secret information but a continuous process of pulling various pieces together. A "secret" item by itself may not cause bad things to happen but combined with other information could result in far greater damage.

> systems up to secret level only

These aren’t SECRET systems. If they were, that would be catastrophically bad and someone would go to jail.

Does any of this matter any more given that DOGE have total clearance bypass for uncleared staff?

This doesn't reflect what the article says. It only includes unclassified systems, not systems up to secret. That means anything from IL2 to IL5 (secret is impact level 6). In practice, IL2 is basically open access anyway, so it's really IL4 and IL5 as those levels actually restrict access. IL5 can include controlled unclassified information, but that's the highest possible. Remote access to IL5 systems also requires either a common access card issued by the DoD or personal PKI issued by an approved CA that still has to verify your background and identity in person before issuing you a certificate pair.

Along with everyone else they interviewed apparently, I had no idea this program even existed, but there have always been similar programs for other kinds of maintenance and support personnel. The people who repair the toilets and refrigerators in a SCIF don't have clearances. They get an escort, and everyone else in the building gets a warning before anyone needing an escort comes in, telling them to put away any sensitive data and either work on something unclassified or turn off your monitors and stop working completely until these people are done and leave again.

> they can’t just run unsigned code etc.

They can do everything that the escort's account can, I don't think you can know what that is.

Since it's to solve technical issues, there's a high chance that low-level access will be required, often.

>not a software

Appears the program has unfixed bugs and security holes anyway :\

There’s no single overarching federal requirement when it comes to citizenship etc, but I would’ve assumed that ITAR requirements at the very least would’ve made this work US citizen on US soil only.

I mean what does vetting even mean anymore? Our President is a convicted felon, our head of HHS thinks bad humors cause illness and vaccines cause Autism, our head of Education is dismantling her own organization with the approved sign off of the Supreme Court, of whom a solid percentage are accused sex offenders, and I could keep going with the utter circus our Government is currently.

Not only are qualifications not required they are apparently actively discouraged in favor of nepotism and connections.

It doesn't seem amazingly well worded, but I'm assuming that "these workers" from the previous paragraph are the "digital escorts" which were described as:

> U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage

I'm guessing a pair of eyes over your shoulder (or virtually watching a session) as you do work near or with sensitive data or systems.

It's called Windows for a reason...

So much bringing manufacturing to America but I see little regarding developing software solely in America.

Not sure if this is a debate the current administration has for the future or even if they are aware of it.

Not trying to give my opinion or deciding whether one thing is better or worse. Just genuine curiosity.

It was Clippy, back from the dead.