Risky Business: "Wide World of Cyber: Microsoft's China Entanglement"

Host: Patrick Gray

Guests: Chris Krebs (Founding Director, CISA) and Alex Stamos (former CISO at Yahoo, Facebook, SentinelOne)

Date: August 25, 2025

Episode Overview

In this episode, Patrick Gray reunites Chris Krebs and Alex Stamos to tackle the ongoing and deepening issues surrounding Microsoft’s operational entanglements with China. From revelations about Chinese engineers supporting U.S. government cloud services, to Microsoft’s broader strategy in China and its implications for security and competition, the panel dives deep into both the headlines and structural market forces driving these risky business decisions.

Key Discussion Points & Insights

1. ProPublica’s "Digital Sherpa" Investigation

Summary of the Story: Chinese-based Microsoft engineers were deeply involved in supporting U.S. Department of Defense (DoD) cloud infrastructure, both writing and laundering code changes that ultimately made it to U.S. government systems ([02:35] C).
“Digital Escort” Model: Chinese engineers had read-only access and would instruct American “escorts” (often non-technical individuals paid as little as $18/hour, valued for security clearance not skill) to execute commands—a model not uncommon but highly controversial when involving Chinese nationals ([04:48] A).
Reactions:
- “It fails every single common sense test.” — Chris Krebs ([02:35] C)
- “There’s no possible way that anybody who knew what they were doing would say yes to this … for the People’s Republic of China, the number one adversary of the United States, it is just completely and totally unacceptable for Microsoft to have done this.” — Alex Stamos ([08:17] A)

2. The Contracting and Disclosure Mess

Microsoft failed to properly disclose to DoD that Chinese nationals would be part of the support chain. Documentation referenced “digital escorting” but omitted the critical detail of Chinese staffing ([10:46] B).
John Sherman, former DoD CIO, is cited:
- “...a matter of not asking the perfect question of the vendor with the very specific conditions and prohibitions.” ([11:59] C)
Panel agrees that government controls and oversight failed, and that Microsoft’s cost and staffing motivations do not excuse this oversight.

3. Microsoft’s Strategy in China: Why Are They So “All-In”?

Market Access vs. Cost:
- “China is the country that every tech company has to make incredibly challenging ethical decisions about.” — Alex Stamos ([19:12] A)
- Microsoft deeply embedded in China for both cost savings and crucially, market access—“Microsoft just made the decision that we’re going to treat China as a market” ([22:40] A).
Contrast with Other Tech Giants:
- Google withdrew after the Aurora hacks; Amazon operates at arm’s length with massive constraints in their Chinese cloud business. “[Amazon] ...effectively we do not give you any kind of security in these ways.” ([19:12] A)
The “Embrace and Normalize” Approach:
- Microsoft’s historic approach was to treat Chinese companies and engineers no differently than any other global market, with corresponding access and integration ([22:40] A; [24:42] C).

4. Cloud Security, Engineering, and Intelligence Implications

Ongoing security incidents (e.g., SharePoint bug exploited by Chinese actors) expose risks: Chinese engineers still maintain key Microsoft codebases ([16:24] B).
Microsoft’s global size and product dominance complicate efforts to exert government leverage ([30:17] B).
The cyclical effect: government agencies depend on Microsoft, and Microsoft sets terms ([30:17] B, [32:38] C).

5. Monopoly, Competition, and Regulatory Frustrations

“Microsoft does whatever the hell it wants and the US government doesn’t really have that much leverage on them … Excel is a Microsoft product and it kind of runs the world.” — Patrick Gray ([30:17] B)
Chris Krebs notes the rare but important impact of the Cyber Safety Review Board’s public rebuke, but sees little hope for major regulatory shifts under current U.S. political leadership ([33:52] C, [34:37] C).
Stamos laments the lack of full-featured competitors, “G Suite’s 70% of the way there. Why won’t Google go the last 30%? Just drives me frickin’ insane.” ([36:20] A)
On potential future regulation:
- “Regulators should get involved... on the security front. Microsoft is trying to completely dominate... to get rid of any independent security company.” — Alex Stamos ([37:48] A)
Danger of Microsoft bundling: “The inferior product is winning because they give it away for free. ... Defender has the same security blind spots as the Windows kernel. Getting rid of all independent views... is bad.” ([39:16] A)

6. What’s Next? Procurement, Centralization, and (Lack of) Reform

Krebs speculates that meaningful change might come from procurement tightening and shared government IT services rather than external regulation ([40:43] C; [44:18] C).
Example: Canada’s “Shared Services” approach, after initial struggles, has matured and could serve as a U.S. model ([42:44] C).
The practical impact: centralizing contracts may limit how much spend any one provider (like Microsoft) can capture but brings new risks, including corruption ([43:28] B).

Notable Quotes & Moments

On the Absurdity of the Digital Sherpa Setup:
- “There’s no amount of money you could pay me to try to oversee Adam Barlow. ...There’s no possible way I would be responsible for that. And certainly not like a junior person at IBM, right? So this is just, it’s crazy talk.” — Alex Stamos ([08:30] A)
On Microsoft’s Disclosure to DoD:
- “It is crazy in my mind that if you’re the Department of Defense of the United States, you would have to ask them, hey, by the way, are you planning on using Chinese nationals in, like, Beijing to do this work?” — Patrick Gray ([10:46] B)
Regarding Monopoly Dynamics:
- “Microsoft does whatever the hell it wants and the US government doesn’t really have that much leverage… this is the fundamental building block of all commerce and government is, sadly, Excel spreadsheets.” — Patrick Gray ([30:17] B)
On Regulatory Intervention in Security:
- “Regulators should get involved… Microsoft is trying to completely dominate. … The inferior product is winning because they give it away for free. … Getting rid of all independent views and all independent voices in the security world is bad.” — Alex Stamos ([37:48] A, [39:16] A)
On Internal Bureaucratic Stagnation:
- “This isn’t breaking the top hundred priorities in this White House… Cloud ain’t one of them.” — Chris Krebs ([35:20] C)

Important Segment Timestamps

00:08 – 02:35: Intro & recap of the “Digital Sherpa” revelation
04:48 – 10:23: Discussion of “digital escort” roles and the absurdities of oversight, especially with low-paid, inexperienced U.S. escorts
10:45 – 13:51: New information about disclosures, government reaction, and lapses
16:24 – 22:40: Microsoft’s breadth in China and the tradeoffs of treating China like any other market
30:17 – 36:20: Monopoly issues, government leverage, and fantasy scenarios for a more competitive environment
37:48 – 39:16: Monopoly in security, regulatory inertia, and the risks of Microsoft’s bundling strategy
40:43 – 44:47: Procurement reform, shared services models, and strategies for action in government IT contracting

Tone & Language

The episode maintains a brisk, candid, and sometimes sardonic tone as the panel, all deeply experienced and direct, share war stories and emotional, unfiltered responses to the scale of the problem. Banter abounds, but always in service of pulling apart the mechanics, incentives, and sometimes Kafkaesque absurdities at play in the intersection of technology, geopolitics, and government contracting.

Conclusion

This episode offers a timely, comprehensive, and unsparing look at Microsoft’s strategic entanglement with China—from the tactical (and hazardous) involvement of Chinese engineers in U.S. cloud services, to the structural market and regulatory dynamics that make such arrangements possible and difficult to remediate. With stakes this high and incentives misaligned, Krebs, Stamos, and Gray make clear there are no simple answers—only hard questions about competition, regulation, and the geopolitics of software.

Risky Business: "Wide World of Cyber: Microsoft's China Entanglement"

Host: Patrick Gray

Guests: Chris Krebs (Founding Director, CISA) and Alex Stamos (former CISO at Yahoo, Facebook, SentinelOne)

Date: August 25, 2025

Episode Overview

Key Discussion Points & Insights

1. ProPublica’s "Digital Sherpa" Investigation

Summary of the Story: Chinese-based Microsoft engineers were deeply involved in supporting U.S. Department of Defense (DoD) cloud infrastructure, both writing and laundering code changes that ultimately made it to U.S. government systems ([02:35] C).
“Digital Escort” Model: Chinese engineers had read-only access and would instruct American “escorts” (often non-technical individuals paid as little as $18/hour, valued for security clearance not skill) to execute commands—a model not uncommon but highly controversial when involving Chinese nationals ([04:48] A).
Reactions:
- “It fails every single common sense test.” — Chris Krebs ([02:35] C)
- “There’s no possible way that anybody who knew what they were doing would say yes to this … for the People’s Republic of China, the number one adversary of the United States, it is just completely and totally unacceptable for Microsoft to have done this.” — Alex Stamos ([08:17] A)

2. The Contracting and Disclosure Mess

Microsoft failed to properly disclose to DoD that Chinese nationals would be part of the support chain. Documentation referenced “digital escorting” but omitted the critical detail of Chinese staffing ([10:46] B).
John Sherman, former DoD CIO, is cited:
- “...a matter of not asking the perfect question of the vendor with the very specific conditions and prohibitions.” ([11:59] C)
Panel agrees that government controls and oversight failed, and that Microsoft’s cost and staffing motivations do not excuse this oversight.

3. Microsoft’s Strategy in China: Why Are They So “All-In”?

Market Access vs. Cost:
- “China is the country that every tech company has to make incredibly challenging ethical decisions about.” — Alex Stamos ([19:12] A)
- Microsoft deeply embedded in China for both cost savings and crucially, market access—“Microsoft just made the decision that we’re going to treat China as a market” ([22:40] A).
Contrast with Other Tech Giants:
- Google withdrew after the Aurora hacks; Amazon operates at arm’s length with massive constraints in their Chinese cloud business. “[Amazon] ...effectively we do not give you any kind of security in these ways.” ([19:12] A)
The “Embrace and Normalize” Approach:
- Microsoft’s historic approach was to treat Chinese companies and engineers no differently than any other global market, with corresponding access and integration ([22:40] A; [24:42] C).

4. Cloud Security, Engineering, and Intelligence Implications

Ongoing security incidents (e.g., SharePoint bug exploited by Chinese actors) expose risks: Chinese engineers still maintain key Microsoft codebases ([16:24] B).
Microsoft’s global size and product dominance complicate efforts to exert government leverage ([30:17] B).
The cyclical effect: government agencies depend on Microsoft, and Microsoft sets terms ([30:17] B, [32:38] C).

5. Monopoly, Competition, and Regulatory Frustrations

“Microsoft does whatever the hell it wants and the US government doesn’t really have that much leverage on them … Excel is a Microsoft product and it kind of runs the world.” — Patrick Gray ([30:17] B)
Chris Krebs notes the rare but important impact of the Cyber Safety Review Board’s public rebuke, but sees little hope for major regulatory shifts under current U.S. political leadership ([33:52] C, [34:37] C).
Stamos laments the lack of full-featured competitors, “G Suite’s 70% of the way there. Why won’t Google go the last 30%? Just drives me frickin’ insane.” ([36:20] A)
On potential future regulation:
- “Regulators should get involved... on the security front. Microsoft is trying to completely dominate... to get rid of any independent security company.” — Alex Stamos ([37:48] A)
Danger of Microsoft bundling: “The inferior product is winning because they give it away for free. ... Defender has the same security blind spots as the Windows kernel. Getting rid of all independent views... is bad.” ([39:16] A)

6. What’s Next? Procurement, Centralization, and (Lack of) Reform

Krebs speculates that meaningful change might come from procurement tightening and shared government IT services rather than external regulation ([40:43] C; [44:18] C).
Example: Canada’s “Shared Services” approach, after initial struggles, has matured and could serve as a U.S. model ([42:44] C).
The practical impact: centralizing contracts may limit how much spend any one provider (like Microsoft) can capture but brings new risks, including corruption ([43:28] B).

Notable Quotes & Moments

On the Absurdity of the Digital Sherpa Setup:
- “There’s no amount of money you could pay me to try to oversee Adam Barlow. ...There’s no possible way I would be responsible for that. And certainly not like a junior person at IBM, right? So this is just, it’s crazy talk.” — Alex Stamos ([08:30] A)
On Microsoft’s Disclosure to DoD:
- “It is crazy in my mind that if you’re the Department of Defense of the United States, you would have to ask them, hey, by the way, are you planning on using Chinese nationals in, like, Beijing to do this work?” — Patrick Gray ([10:46] B)
Regarding Monopoly Dynamics:
- “Microsoft does whatever the hell it wants and the US government doesn’t really have that much leverage… this is the fundamental building block of all commerce and government is, sadly, Excel spreadsheets.” — Patrick Gray ([30:17] B)
On Regulatory Intervention in Security:
- “Regulators should get involved… Microsoft is trying to completely dominate. … The inferior product is winning because they give it away for free. … Getting rid of all independent views and all independent voices in the security world is bad.” — Alex Stamos ([37:48] A, [39:16] A)
On Internal Bureaucratic Stagnation:
- “This isn’t breaking the top hundred priorities in this White House… Cloud ain’t one of them.” — Chris Krebs ([35:20] C)

Important Segment Timestamps

00:08 – 02:35: Intro & recap of the “Digital Sherpa” revelation
04:48 – 10:23: Discussion of “digital escort” roles and the absurdities of oversight, especially with low-paid, inexperienced U.S. escorts
10:45 – 13:51: New information about disclosures, government reaction, and lapses
16:24 – 22:40: Microsoft’s breadth in China and the tradeoffs of treating China like any other market
30:17 – 36:20: Monopoly issues, government leverage, and fantasy scenarios for a more competitive environment
37:48 – 39:16: Monopoly in security, regulatory inertia, and the risks of Microsoft’s bundling strategy
40:43 – 44:47: Procurement reform, shared services models, and strategies for action in government IT contracting

Tone & Language

The episode maintains a brisk, candid, and sometimes sardonic tone as the panel, all deeply experienced and direct, share war stories and emotional, unfiltered responses to the scale of the problem. Banter abounds, but always in service of pulling apart the mechanics, incentives, and sometimes Kafkaesque absurdities at play in the intersection of technology, geopolitics, and government contracting.

wavePod

Wide World of Cyber: Microsoft's China Entanglement

Powered by Wave AI

Summary

Risky Business: "Wide World of Cyber: Microsoft's China Entanglement"

Host: Patrick Gray

Guests: Chris Krebs (Founding Director, CISA) and Alex Stamos (former CISO at Yahoo, Facebook, SentinelOne)

Date: August 25, 2025

Episode Overview

Key Discussion Points & Insights

1. ProPublica’s "Digital Sherpa" Investigation

2. The Contracting and Disclosure Mess

3. Microsoft’s Strategy in China: Why Are They So “All-In”?

4. Cloud Security, Engineering, and Intelligence Implications

5. Monopoly, Competition, and Regulatory Frustrations

6. What’s Next? Procurement, Centralization, and (Lack of) Reform

Notable Quotes & Moments

Important Segment Timestamps

Tone & Language

Conclusion

Summary

Risky Business: "Wide World of Cyber: Microsoft's China Entanglement"

Host: Patrick Gray

Guests: Chris Krebs (Founding Director, CISA) and Alex Stamos (former CISO at Yahoo, Facebook, SentinelOne)

Date: August 25, 2025

Episode Overview

Key Discussion Points & Insights

1. ProPublica’s "Digital Sherpa" Investigation

2. The Contracting and Disclosure Mess

3. Microsoft’s Strategy in China: Why Are They So “All-In”?

4. Cloud Security, Engineering, and Intelligence Implications

5. Monopoly, Competition, and Regulatory Frustrations

6. What’s Next? Procurement, Centralization, and (Lack of) Reform

Notable Quotes & Moments

Important Segment Timestamps

Tone & Language

Conclusion