Software and Tear, The Wire China, Sep. 10, 2023.
By Brent Crane
Can Microsoft safely shepherd the U.S. government through an era of transpacific saber-rattling?
“Great power conflict is back,” declared the organizers of this year’s prestigious Aspen Security Forum, in July. “And the technologies used to win it are changing much faster than we can digest.”
In an attempt to try, the conference invited two men squarely at the center of that great power technological conflict onto the stage together. Dressed nearly identically with their top buttons undone was Microsoft president Brad Smith and Rob Joyce, the National Security Agency’s cybersecurity director. Their easy mutual air reflected what has been a very close relationship between Microsoft and the U.S. government over the past two decades.
Indeed, perhaps more than any other private tech firm, Microsoft has been embedded in the U.S. government’s digital infrastructure, providing ‘Outlook’ email and ‘Office’ word processing services at first and, more recently, video conferencing through ‘Teams’ and cyberspace contracts with ‘Azure,’ Microsoft’s cloud computing service. By some estimates, Microsoft has raked in nearly $12 billion in taxpayer funds since 2018 for federal, state and military projects in the public and classified realms.
But despite the bonhomie of the men onstage, the panel’s moderator, Susan Glasser, brought up what everyone was thinking: What was Microsoft doing about China and its relentless cyber attacks on the U.S. government?
The question came at a somewhat embarrassing moment for Microsoft. Just weeks earlier, in late May, Microsoft had announced that a state-sponsored hacking group had been actively infiltrating U.S. military infrastructure in order to “disrupt” it “during future crises.” Microsoft was tipped off to the intrusion after noticing strange code hiding within telecommunications systems in Guam running on its software. (The U.S. pacific territory houses U.S. military detachments considered vital in the event of conflict with China.)
Microsoft’s report landed like a bomb in the American press.1 Chinese hacking events have become old hat, but this was something new: a cyber intrusion intended to cause damage in the real world. (Foreign Ministry spokesperson Mao Ning referred to hacking reports as a “collective disinformation campaign” by the U.S. and its allies.)
[*1 It also echoed the U.S. Annual Threat Assessment, published in February, that said, “China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems.”]
Then, in June, a cybersecurity expert in the U.S. State Department also noticed something odd in cyberspace. Examining the agency’s Microsoft-run cloud platform, the employee found that the U.S. government had been severely hacked. The sophisticated attack was traced to another China-based hacking group, dubbed Storm-0558, who had managed to steal a cryptographic key that allowed access to Cloud-based Outlook email systems for 25 organizations. Compromised accounts included the U.S. ambassador to China, other senior State Department officials, Commerce Secretary Gina Raimondo, Republican Congressman Don Bacon (a China hawk from Nebraska), and some two dozen other organizations and government agencies.
The Chinese hackers may have been inside these networks for a month.
By the time of the Aspen forum, it was clear to anyone paying attention that China was ratcheting up its cyber subterfuge against the U.S. — and that Microsoft, a Fortune 500 multinational and leading U.S. government contractor, was right in the middle of it.
On stage, Smith admitted that the hacks reflected “growing sophistication” from China. But Joyce seemed to downplay the incident, calling it a “fairly traditional threat.”
“It is China doing espionage,” he said. “That is what nation-states do. We need to defend against it, we need to push back on it, but that is something that happens.”
Unfortunately for both men, however, that “something” seems to be happening more than ever. When the American software firm SolarWinds was infiltrated by Russian hackers in 2020, compromising the data of numerous U.S. government agencies, they did so in part through penetrating cloud-based Microsoft services. Then, in 2021, over 30,000 Microsoft Exchange customers, including U.S. officials, were hacked in an attack attributed to state-sponsored actors in China.
The latest attacks, however, were notable for both their novelty of approach and degree of access.
“Stealing the encryption key — holy cow, that is a big deal,” notes James Andrew Lewis, director of the strategic technologies program at the Center for Strategic and International Studies (CSIS). “I told somebody in the White House, ‘I hope all these Chinese guys get medals for doing this because that’s really a coup.’”
“It is obvious that critical internal Microsoft infrastructure was compromised, which is bad enough,” adds Karim El-Melhaoui, of cloud security firm O3 Cyber. “What’s even worse is that there was a breach of customer data, which is the first known event of this kind from one of the three big cloud providers [Microsoft, Google and Amazon.]”
Indeed, not everyone in government is being as polite to Microsoft as Joyce was onstage. As ComputerWorld, a trade magazine, recently put it, the latest attacks have made it “open season on Microsoft in Congress.”
In July, Sen. Ron Wyden wrote a withering letter urging U.S. agencies to “take action” against Microsoft. The Oregon Democrat called for the Cybersecurity and Infrastructure Security Agency (CISA) to open an inquiry, which it did in August. Wyden also called for the Department of Justice to see “whether Microsoft’s negligent practices violated federal law,” and for the Federal Trade Commision to investigate possible contractual infractions.
“[E]ven with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident,” the senator wrote.
A bi-partisan group of senators has also called for a “closed, unclassified briefing” on the June hack.
In a blog post, Microsoft blamed “a validation error in Microsoft code.” This past week, they finally released a postmortem which detailed how hackers obtained the cryptographic key: through compromising the corporate account of a Microsoft engineer. Notably, Microsoft has not explained how the hackers pulled off this crucial step. By all appearances, they have no clue.
Microsoft declined to answer questions from The Wire.
As more and more entities transition to the cloud — which Microsoft has encouraged and staked much of its future on — the question increasingly circulating among high-value clients is whether the Washington-based company is as reliable as it says.
“There is a lot of displeasure with Microsoft and its security at senior levels [of the U.S. government],” says Lewis, of CSIS.
Aggravating this displeasure is Microsoft’s substantial footprint in China, a country it has been active in since 1992. Indeed, Microsoft has succeeded where many of its tech peers (like Google, Ebay, Uber and Amazon) did not. The company has around 9,000 employees in China today and plans to hire more for its offices in Shenzhen, Suzhou, Shanghai and Beijing. Though it pulls less than 2 percent of its revenues from the Middle Kingdom, Microsoft remains a vital software provider there. Nearly 90 percent of Chinese desktop users run Windows, according to StatCounter, including the central government.
The firm’s Beijing-based research hub, Microsoft Research Asia (MSRA), is also widely regarded as the country’s most prestigious training ground for ambitious software engineers. And Microsoft founder Bill Gates, whose translated books whizz off Chinese shelves, “is seen as akin to a state leader in China,” says Asaf Lubin, a cyber law expert at Columbia University. “Whenever he comes, it’s like a state visit.”
Past castigations of Microsoft’s cozy relationships in China have been harsh but fleeting. In 2019, for instance, after The Financial Times revealed that Microsoft had partnered with a Chinese military-run university in developing artificial intelligence technologies, Florida Senator Marco Rubio excoriated the company for being “complicit in aiding the Communist Chinese government’s totalitarian censorship apparatus and egregious human rights abuses.”
They’ve walked this geopolitical tightrope very skillfully in the past. But the nature of the U.S.-China relationship is different now.
Then, during the 2021 anniversary of the Tiananmen Square Massacre, Microsoft’s Bing search engine, which operates in China in accordance with censorship laws, was found to be blocking search results in North America related to the event. After Microsoft blamed this on “accidental human error,” Texas Senator Ted Cruz tweeted, “Was the ‘accidental human’ who made the error by any chance the head of China Marketing for Microsoft?”
With “de-risking” and Chinese hacks accelerating, U.S. government scrutiny will likely be more pointed and sustained. As Arun Sundararajan, a business professor at New York University who has long followed Microsoft, says, “They’ve walked this geopolitical tightrope very skillfully in the past. But the nature of the U.S.-China relationship is different now.”
Indeed, given the company’s intimate ties with America’s biggest strategic rival and its demonstrated security lapses arising from it, can Microsoft safely shepherd the U.S. government through an era of transpacific saber-rattling?
‘BETTER TO BE THERE THAN NOT’
In 1992, Bill Gates, then 37 years old, flew to Beijing to sell Windows. Microsoft, like China’s Reform and Opening campaign, was into its second decade and growing fast, and Gates could “see the writing on the wall” that China would eventually swell into a “powerhouse,” recalls Nathan Myhrvold, a former Microsoft chief technology officer.
President Jiang Zemin, Gates found, was receptive to his traveling salesman overtures and by the time he returned, in 1995, much of the Chinese PC market was already running on his operating software.
Gates quickly assessed that to do anything in China, he would need political connections. And so in 2002, Microsoft launched a joint-venture with the Shanghai Alliance Investment Ltd., an investment arm of the Shanghai municipal government. At the time, it was run by former president Jiang Zemin’s son, Jiang Mianheng. The joint-venture, Wicresoft, which Microsoft invested $4 million into, specializes in I.T. infrastructure design and outsourcing.
By all accounts, not much has come from the company except, perhaps, official goodwill, which Gates was keen to keep up. On another of his trips to China, in 2004, discussion turned to a new venture, spearheaded by Myhrvold, called Microsoft Research Asia (MSRA). Based in Beijing’s techy Zhongguancun neighborhood, the center focused on developing cutting-edge software for use in both China and beyond.
Mainly though, establishing the center was a way for Microsoft to nurture top Chinese talent.
“The talent pool was all we cared about for the research group,” says Myhrvold, who is now retired. “And that worked out very well. We got a great reputation at Chinese universities. A lot of people wanted to go work there, and the research [being conducted at MSRA] was considered very important at Microsoft.”
Microsoft opened seven other such research centers around the world, from Cambridge to Bangalore, but MSRA, the largest one, was notable for its impact. Much of its research concerns deep-learning, speech recognition and natural language and image processing. Its first director was Kai-Fu Lee, a Taiwanese-American who went on, after a vicious legal fight with Microsoft, to lead Google’s operations in China and has since become an important venture capital investor straddling China and America’s tech worlds. Another early director, Harry Shum, went on to lead Microsoft’s artificial intelligence programs from Washington state.
Perhaps most importantly, the center has proven a reliable font for guanxi, the Chinese concept of reciprocal social capital that is critical in business and political matters (a 2006 book on MSRA bears this title). If Gates needed China for its vast market and talent pool, turn-of-the-century China needed Microsoft for just the sort of leading software engineering training that MSRA provided.
“We were careful to arrange this with people in the government who we thought would understand it,” Myhrvold says. “People from the Chinese Academy of Sciences and other groups that were very interested in seeing China’s place in the world of academic research be recognized.”
Indeed, for the Chinese tech sector, MSRA’s presence proved a major boon. Its star-studded alumni include top executives at Tencent, Baidu, SenseTime, Megvii and Alibaba. Collectively these tech juggernauts amount to some $678 billion in market value.
MSRA survives to the present day — as does its guanxi. President Xi has met with Gates numerous times, first on Hainan island in 2015 and again in Seattle during Xi’s first U.S. state visit later that year. During a June 2023 trip to Beijing, Gates, who stepped down from Microsoft in 2008 to focus on philanthropy but remains its largest shareholder, met again with the Chinese president. Grinning warmly in the Diaoyutai State Guesthouse, a venue typically reserved for presidents and prime ministers, Xi called the multibillionaire Gates “an old friend.”
But MSRA’s happy success was not representative of Microsoft’s overall China business, much of which was bogged down with navigating privacy concerns, censorship laws and a profit-sucking piracy scourge. Business was so bad for Microsoft in China that Fortune magazine dubbed the company’s first decade there “a disaster.”
Although Windows dominated the Chinese market, profits were virtually non-existent. This is because the vast majority of users ran pirated versions, costing Microsoft some $10 billion in sales. These unofficial versions could be purchased for two bucks compared to the official price of $63. Microsoft made meager efforts to combat the problem through Chinese courts, but did not get far. Mostly, Microsoft grudgingly tolerated the thefts.
“Although about three million computers get sold every year in China, people don’t pay for the software. Someday they will, though,” Gates told an American university audience in 2006. “And as long as they’re going to steal it, we want them to steal ours. They’ll get sort of addicted, and then we’ll somehow figure out how to collect sometime in the next decade.”
When Microsoft did finally take action, it backfired. In 2008, the company released an anti-piracy program into Windows called Windows Genuine Advantage, which turned the desktops of pirated copies to black. A torrent of indignation followed as an inky wave darkened PCs across China. “It’s a crime,” said one Beijing lawyer at the time who filed a complaint with the Public Security Ministry. “The black-screen plan implies that Microsoft can hack all its users, not just the pirates.”
Microsoft insisted that it was in the legal right and that it was not collecting data on users. Discounts were offered for real Windows. But the outcry, and lawsuits, continued. “It is improper to take illegal measures to deal with [piracy], and the public will not accept the black screen move,” said the China Computer Federation, an advocacy group.
Still, some good came out of Microsoft’s proactive action. At the end of the year, a Shenzhen court prosecuted what was deemed the “world’s largest software counterfeiting syndicate,” responsible for some $2 billion in pirated software, including Windows. Although piracy didn’t much let up, the ruling felt like a signal of compromise from on high.
Looking for more surefire revenue streams, Microsoft released a Chinese version of Bing, its search-engine, in 2009. Quietly, the company complied with Chinese censorship laws, which Gates downplayed at the time as “very limited.” Google, which had recently suffered a hack of its servers originating from China, exited the Chinese mainland the next year after ultimately refusing to censor its search results. Microsoft, for all its posturing in America over the sanctity of digital freedom, had no such scruples.
Condemnation arrived swiftly and from both sides of the Pacific.
“Of course many companies want to do business in China, but we really think western nations should apply the same kind of moral standards they do in their own nations,” said Ai Weiwei, the Chinese dissident artist.
Familiarity breeds vulnerability. Microsoft’s activities in China open opportunities for China to more readily understand vulnerabilities in those codes then, say, in Google’s.
“I would hope that larger companies would not put profit ahead of all else,” echoed Google’s Sergey Brin.
Today, Bing remains the only foreign search-engine available in China. This year, it overtook Baidu in desktop search engine market share, according to StatCounter.
Microsoft has also caved to Chinese censors on other platforms. In 2006, a Chinese dissident writer named Zhao Jing was removed from its blogging platform, MSN Spaces, after requests from the central government. The platform had been known to censor words like “human rights,” “freedom of expression” and “democracy.”
“This is a complex and difficult issue,” said a Microsoft spokesperson at the time. “We think it’s better to be there with our services than not be there.”
LinkedIn, Microsoft’s social media site, has also censored content in China by blocking researchers and journalists posting potentially subversive content. In messages to these accounts, Microsoft wrote, “While we strongly support freedom of expression, we recognized when we launched that we would need to adhere to the requirements of the Chinese government in order to operate in China.”
For a while, a watered-down version called InCareer was available, sans a messaging feature. But in 2021, LinkedIn exited the country entirely, citing “a significantly more challenging operating environment and greater compliance requirements.”2 (It left out those points in its Chinese-language explanation.)
[*2 There are also reports that Chinese spies have used accounts on LinkedIn to target thousands of British officials.]
Periodic reproval notwithstanding, Microsoft has managed to hang on in China in part because most of its products are not as visible to average consumers. Unlike Facebook, Twitter and Google — none of which are available in China — Microsoft mostly targets other companies with its services, not individual consumers. And to the Party’s digital minders, operating systems and spreadsheet programs have a different security valence than social networking.
“China has been pursuing a national strategy of digital sovereignty for a long time and they want important, citizen-engaging technologies to be Chinese,” says Sundararajan, of NYU. “I don’t think better leadership or a different strategy at Google or Amazon would have led to a different outcome.”
But Microsoft has also been willing to make concessions that competitors have not. In 2003, for example, to allay apparatchik’s fears that Windows could be used for American espionage purposes, Microsoft shared part of its Windows source-code with Chinese officials. They did this in several other countries too, but some experts now believe that revealing that technical knowledge ultimately made Microsoft easier to hack.
“Familiarity breeds vulnerability,” says Paul Rosenzweig, a cybersecurity consultant and former Department of Homeland Security (DHS) official. “Microsoft’s activities in China open opportunities for China to more readily understand vulnerabilities in those codes then, say, in Google’s.”
Microsoft’s ample concessions and guanxi have also not spared it from pain inside China. In July 2014, police raided four of the company’s China offices after an anti-monopoly probe was launched against the company. The true reason for the probe, some speculated, lay outside strictly economic concerns. A year earlier, Edward Snowden’s revelations had shown that Microsoft had collaborated with U.S. intelligence agencies to spy abroad. Microsoft came to be seen across China as a potential front for U.S. spying, alongside Cisco, I.B.M., Google, Qualcomm, Intel, Apple and Oracle — all derisively labeled the “guardian warriors” in the Chinese press.
“It’s hard not to mirror,” says Michael Posner, a business ethics professor at New York University and former human rights official in the Obama administration. “From the Chinese perspective, they know how they would interact with their companies, so they imagine that surely that’s how the U.S. government interacts with its major companies like Microsoft.”
The Chinese government banned officials from using Windows 8, citing “energy efficiency” concerns. But observers saw the ban as a tit-for-tat response to the Snowden concerns as well as Microsoft’s sudden decision to end support for Windows XP, which would have forced Chinese government users to upgrade to Windows 8. The next year, when Microsoft partnered with Baidu to encourage adoption of Windows 10, they featured the Chinese search engine as the system’s default — another major compromise.
(In 2015, Microsoft even announced it was forming a joint venture called C&M Information Technologies to provide support to the Chinese government and state owned enterprises. Its partner is the giant defense electronics firm China Electronics Technology Group Corporation, an entity the U.S. has called out as a military firm.)
Microsoft has continued to make exceptions for China with the “cloud” — the amorphous internet infrastructure used to store increasingly vast amounts of data for the private and public sector alike. The cloud’s mass adoption is reshaping how companies and governments operate in cyberspace, and Azure, Microsoft’s $30 billion cloud platform, is leading the charge.
Launched in 2010, Azure is used by 95 percent of Fortune 500 firms today. In 2013, Azure launched in China, but instead of running Azure themselves, Microsoft contracted out its management to a Chinese company called 21Vianet, now called VNET.
VNET, which is publicly listed on Nasdaq, uses a variable interest entity (VIE) to provide both Office 365 and Azure services in China, and some of its largest shareholders, according to filings, are Fidelity, Blackstone and a subsidiary of TusHoldings, which is connected to the Chinese state-owned investment fund Tsinghua Holdings.
In accordance with local regulatory requirements, Azure in China is “physically separated…from Microsoft’s global cloud,” notes the company. Although Azure operates in more than 30 countries, China seems to be the only place where Microsoft has devised such a complicated arrangement.
“The ecosystem that surrounds Microsoft in China is made up of predominantly Chinese companies,” says Sundararajan, of NYU. “They’re really viewed by the Chinese government as the American part of a big Chinese ecosystem.”
THE ‘MONOCULTURE’ PROBLEM
The irony of Microsoft’s situation is hard to miss: While ingratiating itself with the Chinese government and within the Chinese market, it both monitors and suffers from state-sponsored Chinese hacking attacks. Simultaneously, it is constructing the digital scaffolding for the American security state, which is largely focused on rebuffing China.
The tension in these tightropes becomes tauter by the day.
If we’re not comfortable that our citizens’ data should be held accountable to that different legal standard then we shouldn’t be doing business — physically — in China.
In the U.S., the majority of Microsoft’s government contracts are in the defense realm. These gargantuan deals, most of which are split between firms, are considered vital to modernizing American national security. Vastly varied in scope, they include a $22 billion contract to provide augmented reality goggles to the U.S. Army, the U.S. intelligence community’s $10 billion Commercial Cloud Enterprise, and the $950 million Advanced Battle Management System contract for the Air Force.
Jack Poulson, a Google whistleblower who now runs TechInquiry, a non-profit oversight group, was “shocked” to learn just how dependent Microsoft is on U.S. defense clients while collating a recent report on tech defense contractors. Out of an $11.8 billion estimate for Microsoft’s post-2018 direct U.S. federal revenue, over 98% of that came from defense contracts, Poulson found. “That kind of blew my mind,” he says.
Chris Inglis, the former National Cyber Director in the Biden administration, says Microsoft’s China baggage should give the U.S. pause.
“China’s got a completely different [legal] construct, and we’re not comfortable with that,” he says. “If we’re not comfortable that our citizens’ data should be held accountable to that different legal standard then we shouldn’t be doing business — physically — in China.”
That’s the take-away that Google, which competes fiercely for the same government contracts, seem to be hoping for. In September, Google purchased Mandiant, the cybersecurity company, for $5.4 billion. It will run under Google Cloud, its cloud provider, and bolster Google’s ability to land lucrative government cloud customers.
Amazon, the largest cloud provider in the world, is also surely scheming to take advantage of Microsoft’s China woes.
But as Joyce’s nonchalance on stage in Aspen suggested, the latest hacks may just be seen as more of the same and part of doing business in a multipolar world. The actual consequences for Microsoft, for instance, remain to be seen. In December, just three years after the SolarWinds hack, Microsoft won a $9 billion contract to build cloud infrastructure for the Department of Defense (DoD), called the Joint Warfighting Cloud Capability contract. While Amazon, Oracle and Google also received slices of the pie, Microsoft’s was by far the largest.
“I don’t think the U.S. will look at Microsoft that differently as a result of incidents which are simply the latest in a contest that is always ongoing,” says Nigel Inkster, an analyst with Enodo Economics, a geopolitical consultancy, and the author of The Great Decoupling.
Poulson also doesn’t expect much in the way of consequences, mostly because he suspects the relationship between the U.S. government and Microsoft is closer than many realize.
“If you’re a U.S. tech company and you work closely with U.S. defense and intelligence agencies and you’re operating in a country that is the number one target of U.S. surveillance — given all that we know about the historical relationships of, for example, N.S.A. surveillance through these companies — it’s just unbelievable to me that there is not some sort of agreement there.”
One emerging repercussion, however, is a turn towards ‘contractor diversity,’ which aims to reduce dependencies on any single company, like Microsoft. This is the stated aim of many U.S. agencies, such as the DoD, whose “goal is to have a robust pool of vendors,” says David McKeown, deputy chief information officer for cybersecurity at DoD. “We are encouraging vendors to partner on integrated solutions, which will better serve the Department’s needs than a conglomeration of unintegrated solutions.”
That goal may be harder to execute than it sounds. “What you hear a lot of people arguing about is this ‘monoculture’ problem — being so dependent on Microsoft,” says Michael Daniel, a former cybersecurity official in the Obama administration. “But what are your alternatives? It’s not like there are hundreds of competitors to operate at that kind of scale.”
There are signs that Microsoft is scaling back its China business in light of heightened bilateral tensions. MSRA has reportedly ended relationships with Chinese military-associated universities listed on the U.S. Entity List. And this summer, the company started quietly relocating AI researchers at MSRA to Vancounver, where Microsoft is establishing a new lab. Given its immense military-use potential, AI is a particularly sensitive realm in the U.S.-China tech race.
Considering these hassles and the fact that Microsoft draws miniscule revenues from China, what incentive does the company really have to remain there? One, experts say, is data. To stay innovative in AI, nothing is more vital than amassing terabytes of training data. China, with its billions of internet users and lack of data privacy laws, is seen as a massive honeypot.
“There’s no question in my mind that, at least partially, the answer to that question of ‘Why remain in China?’ is Microsoft thinking, ‘We’re willing to lose any short term revenue for the long term access to the massive amounts of data that the Chinese ecosystem offers us in this corporate race around AI,’” says Lubin, of Columbia University. “Big data is the coin of the realm, so the ability to operate in environments which lack rules around processing of data and transferring of data becomes profitable for a company.”
Indeed, in some ways, this long term strategy rhymes with Microsoft’s decision 20 years ago to let Chinese PC users pirate Windows. But despite the promise of future profits in China, the present involves unceasing assaults.
In August, Microsoft announced that it had identified yet another China-based cyber campaign, this time targeting organizations in Taiwan. The state-sponsored group, dubbed Flax Typhoon, had been using Windows services since at least 2021 to conduct its malicious operations hacking into Taiwanese organizations, Microsoft found. In a blog post, the company said the hackers’ activities suggested that “the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible.”
Microsoft too would like to maintain its broad access. But doing so will likely depend on opinions in Washington.