Sen. Jeanne Shaheen, D-N.H., is demanding answers from the Pentagon after revelations earlier this month that Microsoft used China-based engineers to work on sensitive U.S. military systems.
In a letter to Defense Secretary Pete Hegseth, the senator called for a full explanation of how the Defense Department (DoD) will address potential cybersecurity lapses and prevent similar risks in the future.
Earlier this month, a ProPublica investigation revealed that Microsoft relied on engineers based in China to assist with patching DoD systems. Microsoft assured that the engineers had no direct access to DoD systems, and instead worked through U.S. “digital escorts” — cleared personnel who manually carried out their instructions.
The arrangement raised bipartisan concerns that these escorts lacked the technical skills to detect malicious activity.
Sen. Tom Cotton, R-Ark., echoed Shaheen’s concerns, urging Hegseth to disclose which contractors are using China-based workers and to review escort training protocols. In response to the backlash, Microsoft announced it will no longer involve China-based engineers in DoD projects.
While saying she was encouraged with Microsoft’s decision, Sen. Shaheen pointed to broader systemic issues, highlighting the Pentagon’s slow response to implementing existing legal safeguards.
“While I am encouraged that Microsoft has announced that it will end this arrangement, this incident raises serious questions about whether the DoD is fully implementing U.S. laws that require guardrails around the procurement of information technology (IT) systems,” she wrote.
Shaheen emphasized that an existing provision — Section 1655, titled “Disclosure of Source Code by Contractors to Foreign Governments” — was crafted in direct response to past security lapses involving foreign access to critical software. She expressed frustration that DoD only began the formal rulemaking process to implement the law in November 2024 — six years after it was enacted.
“While I was pleased to see the DoD issue a notice of proposed rulemaking in November 2024 … it unfortunately took the department six years to take this initial step,” she wrote.
Shaheen asked Hegseth to explain why it took the Pentagon six years to begin implementing Section 1655 and what the anticipated timeline is for finalizing the rule. She also sought clarity on whether the DoD’s contract with Microsoft included a clause — required under subsection (c) of Section 1655 — mandating disclosure when a contractor is obligated to share sensitive information with a foreign government. In the event that such a clause existed, she pressed for answers on whether Microsoft informed the DoD of any obligations under China’s Cybersecurity Law that could require sharing its source code with the Chinese government.
In addition, Shaheen asked how the Pentagon plans to mitigate similar cybersecurity risks going forward and requested details on the scope and findings of a review Hegseth initiated on July 18 into the use of foreign engineers by DoD vendors.
Shaheen has asked Hegseth to respond to her questions by August 15.