The tech giant is required to regularly provide U.S. officials with its plan for keeping government data safe from hacking. Yet a copy of Microsoft’s security plan obtained by ProPublica makes no reference to the company’s China-based operations.

Archived version

Microsoft, as a provider of cloud services to the U.S. government, is required to regularly submit security plans to officials describing how the company will protect federal computer systems.

Yet in a 2025 submission to the Defense Department, the tech giant left out key details, including its use of employees based in China, the top cyber adversary of the U.S., to work on highly sensitive department systems … In fact, the Microsoft plan … makes no reference to the company’s China-based operations or foreign engineers at all.

Experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government computer systems poses major security risks. Laws in China grant the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. The Office of the Director of National Intelligence has deemed China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.”