A new investigation has raised red flags over how Microsoft handles sensitive military data. According to ProPublica, the company has been letting engineers based in China work on U.S. Defense Department cloud systems, with minimal oversight.

The program, known internally as the “digital escort” system, pairs Chinese engineers with U.S.-based employees who are supposed to supervise the work. But current and former staff told ProPublica that many of these so-called escorts lacked the technical background to fully understand what was being done.

Some escorts were hired mainly for their security clearances, not their cloud expertise. That mismatch has left national security experts uneasy. Under federal rules, only U.S. citizens or permanent residents are allowed to handle classified or sensitive military data. Critics say Microsoft’s model sidesteps that by relying on escorts who can’t actually evaluate the technical details.

Michael Lucci, founder of State Armor Action, didn’t hold back. “If these allegations are credible, the federal government should never again rely on Microsoft to protect the data that keeps our men and women in uniform safe,” he said. He also pointed to Microsoft’s history of security breaches tied to China-linked actors.

Microsoft insists the program is secure. It says all privileged users go through background checks and that monitoring tools, layered defenses, and federal audits—like those from FedRAMP—are in place.

DISA, the Defense Information Systems Agency, says the digital escorts are only used in specific unclassified environments and only for troubleshooting. But after Chinese hackers reportedly breached U.S. military cloud systems in 2023, many aren’t convinced.

Security advocates are calling for a reassessment. As China’s cyber capabilities grow, they argue, any overseas access, especially through contractors, needs far tighter control.