Two high-level Biden administration officials who played key roles in evaluating a Microsoft security product that was breached by Chinese hackers now enjoy senior positions at the technology corporation, according to public social media profiles.
Former Department of Justice chief information officer Melinda Rogers and former Deputy Attorney General Lisa Monaco both played parts in the DOJ’s acceptance and continued use of GCC, a suite of purportedly secure cloud-based services offered by Microsoft, during their tenure in the Biden administration. A recent Pro Publica investigation found that, before Chinese hackers were caught infiltrating GCC, federal officials tasked with auditing the product claimed that Microsoft struggled to prove that its cloud products were secure.
Rogers, now a partner in the technology giant’s enterprise cloud division, and Monaco, who was tapped to be the firm’s global affairs president, took actions that helped GCC obtain and maintain a lucrative foothold within the federal government.
It was Rogers who made the decision to deploy a version of GCC within the DOJ in early 2020, after the product suite had been evaluated by third-party assessment organizations as well as an audit from the DOJ itself. The DOJ’s decision to adopt GCC came with a significant financial upside for Microsoft, placing it on the government’s official online marketplace for cloud services. This, according to Pro Publica, amounted to free advertising for the tech giant and an implicit seal of federal approval.
After Rogers’s approval, GCC went through a years-long back-and-forth with federal auditors who claimed Microsoft repeatedly failed to provide crucial information about its security procedures. The auditors also claimed that there was a potential conflict of interest problem with the third-party assessment organizations that initially cleared GCC, seeing as they were paid by Microsoft.
Microsoft, in a statement to Pro Publica, rebuffed these allegations by arguing that federal auditors provided them with vague information requests that they were unable to fulfill to their satisfaction and asserting that the independent investigators it retained complied with industry standards. Some of the federal auditors, speaking anonymously, claimed that Microsoft’s secure cloud network was overly exposed to non-secure networks, thus making it ripe for breaches, a concern that the firm failed to assuage.
Amid this years-long process, the White House revealed to federal auditors in 2023 that Chinese state-sponsored hackers had infiltrated the system, seizing emails and other data from the secretary of commerce, America’s ambassador to China, and other top-level officials.
Following this revelation, federal auditors told Microsoft that they would be ending their process to clear Microsoft’s cloud services and, if Microsoft wanted full authorization, it would need to start the process over. This, naturally, infuriated Microsoft, as it imperiled billions of dollars in possible revenue.
An anonymous DOJ official told Pro Publica that Microsoft’s point-person for government cloud services, John Bergin, pushed the department to “throw around our weight” to secure the authorization for the company’s product.
Then, that December, Microsoft secured a meeting with the federal auditors to negotiate a resolution.
Rogers, still a top DOJ official, sat next to Bergin opposite Brian Conrad for the meeting.
Early in the meeting, Bergin interrupted one of the auditors, arguing that they “should essentially just accept” GCC’s security bona fides, seeing as the DOJ had already done so. Rogers, reportedly to the shock of those in attendance, backed up Microsoft by criticizing the work of the auditors.
Rogers repeatedly pressed auditors to “get this thing over the line,” in reference to GCC, multiple former federal employees told Pro Publica.
It was the “opinion of the staff and the contractors that she simply was not willing to put heat to Microsoft on this” and that the DOJ “was too sympathetic to Microsoft’s claims,” former GSA executive director for cloud strategy Eric Mill said.
Come 2024, federal auditors launched a new review process for GCC.
Though the team ultimately concluded that “there is a lack of confidence in assessing the system’s overall security posture,” they authorized Microsoft’s cloud services nonetheless. The summary document associated with the decision stated that “not issuing an authorization would impact multiple agencies that are already using GCC-H,” signalling that the DOJ initially getting GCC into the government’s bloodstream proved crucial to its ultimate approval.
A Microsoft spokesperson claimed that there was “absolutely no connection” between Rogers receiving an employment offer from Microsoft and her role in the GCC approval process. She and the company, according to the spokesperson, complied with “all rules, regulations, and ethical standards.”
Monaco’s role in the GCC approval process was, from what can be gleaned from public reporting, less direct than Rogers’s involvement.
After Russian hackers were discovered to have breached government computer systems in late 2020, reportedly exploiting a long-existing weakness in a Microsoft product, Monaco announced an effort to use the False Claims Act to litigate against government contractors who “fail to follow required cybersecurity standards.”
Pro Publica found no evidence that Monaco used her position to scrutinize Microsoft GCC, despite its reported security lapses.
“There is absolutely no connection between these hirings and any involvement they may have had with the authorization of GCC High,” a Microsoft spokesperson told the Washington Examiner, addressing both Monaco and Rogers. “As with the hiring of any former government employee, we comply fully with all rules, regulations, and ethical standards regarding their employment, including recusal requirements for work connected to their previous agencies or relevant subjects during the designated period.”
MICROSOFT, POLITICALLY CONNECTED, SEEKS TO ALTER CHINESE INVESTMENT PROVISION IN DEFENSE BILL
“Before the DOJ authorized GCC High, there were plenty of public reasons to treat Microsoft’s China operations as a serious security concern,” Tech Integrity Project policy director Geoffrey Cain told the Washington Examiner. “The company’s Beijing research lab had produced alumni who went on to build China’s sanctioned surveillance companies. Its employees had co-published AI research with a Chinese military university. Also, DOJ’s own cybersecurity rules required US-only personnel for IT maintenance precisely because foreign access to sensitive systems is a known risk. Any one of those facts should have triggered harder questions about putting sensitive law enforcement data on Microsoft’s cloud. Together they should have made GCC High subject to rigorous scrutiny.”
“DOJ was the department pushing this product through, and the agency responsible for prosecuting companies that misrepresent their cybersecurity under the False Claims Act,” he added. “That is a structural conflict of interest.”