In 2016, China enacted a sweeping National Cybersecurity Law, tightening its control over technology companies operating within its borders. This legislation compels companies to grant Chinese authorities access to source code, encryption keys, and backdoor entry to their systems. While framed as a national security measure, it creates a direct pipeline for Beijing to access and potentially compromise software used worldwide, including in the United States government and critical infrastructure. Microsoft, one of the world’s largest technology companies, maintains almost ten thousand workers in China who develop core products like Microsoft Office, Exchange, and Azure cloud services – the same products widely used throughout U.S. federal agencies.
The Office of the Director of National Intelligence has identified China as the “broadest, most active, and persistent cyber espionage threat to U.S. Government and private sector networks,” and it’s time we demand that Microsoft choose a side in this battle. Microsoft’s deep integration with China includes not just software development but also artificial intelligence research and their significant stake in OpenAI, raising additional security concerns as these technologies become more critical to national security.
In my time serving you in the Missouri State House, I worked to fill in some of the security gaps we haven’t fixed yet at the national level. Two pieces of legislation I introduced, the Unmanned Aerial Systems Security Act of 2024 (HB 1415) and the Light Detection and Ranging Technology Security Act of 2024 (HB 1416) sought to prohibit the use of drones and LIDAR technology from countries of concern, including China, in Missouri’s infrastructure and government operations. Keeping these equipment imports out of Missouri is a significant step in the right direction for the sake of our citizens and could mitigate threats that civilian UAVs or other tech used in Missouri could unintentionally pose to national security sites like Whiteman Air Force Base. But state-level protections aren’t enough when our federal systems remain vulnerable to foreign interference through the very software they rely on every day.
The dangers of Microsoft’s deep ties to China became clear in July 2023 when Chinese state-sponsored hackers infiltrated Microsoft Exchange Online. This breach exposed over 60,000 emails from U.S. government agencies. While no direct link has been established between this attack and Microsoft’s operations in China, we must scrutinize the privacy and security of products developed in China. It’s alarming that software vulnerable to foreign influence is ubiquitous in our government. We need to seriously question this reliance on a single provider with such significant exposure to a strategic competitor.
In the aftermath of the 2023 hack, the Department of Homeland Security’s Cyber Safety Review Board issued a report strongly criticizing Microsoft’s cybersecurity practices. The report emphasized that the company has deemphasized security, failing to take even basic steps. Microsoft promised to raise its protocols to meet industry standards, but its continued operations in China imply compliance with China’s cybersecurity law and that law mandates the transfer of remarkable levels of access directly to the Chinese Communist Party.
The federal government’s dependence on Microsoft products magnifies these security risks considerably. Studies show the company provides software for approximately 85% of government employees, yet maintains this position through restrictive licensing agreements that prevent agencies from using competing products or switching providers without enormous expense. This concentrated control over government computing systems creates an untenable situation – our nation’s digital security depends heavily on a company that must comply with Chinese government demands for access to its source code and systems. Congress possesses the authority to address this dangerous level of dependence on a single provider, but doing so requires the political will to confront one of the world’s most powerful technology companies.
From a regulatory standpoint, Missouri is fortunate to have two U.S. Senators who are fearless in standing up to Big Tech. Senators Josh Hawley and Eric Schmitt have been sounding the alarm about Microsoft’s entanglement with China. They worked together on a bipartisan letter demanding answers from the Biden administration about the security lapses that led to the 2023 hacking by Chinese-backed hackers. Both senators have also introduced legislation to modernize our national security and limit China’s access to critical U.S. systems.
I’m asking Senators Hawley and Schmitt to continue leading the charge on implementing stricter regulations on the development of critical software used by government agencies. Companies with significant operations in countries subject to invasive cybersecurity laws, like China, should face additional scrutiny. We wouldn’t allow a defense contractor to manufacture sensitive equipment in Beijing; we should apply the same caution to our digital infrastructure.
The choice before us is clear: either we can continue down this path of complacency and face increasingly severe breaches, or we can take action to secure our digital future. It’s time for our leaders in Washington and in Jefferson City to recognize this threat and act decisively to protect American interests in the digital age.