- A fake complaint alleges security concerns with a $10 billion Microsoft cloud deal known as JEDI.
- Microsoft disputes everything in the complaint and says it was created by an impersonator.
- Microsoft won the $10 billion Pentagon contract in 2019, but Amazon has claimed it deserves it.
- Visit the Business section of Insider for more stories.
Microsoft says a fake complaint about its security over a $10 billion Pentagon cloud contract — filed by someone pretending to be a Microsoft employee — is making the rounds among tech workers, reporters, and social media, stoking false rumors and concerns around an already controversial deal.
The fake complaint from last month adds a strange twist to saga of the Joint Enterprise Defense Infrastructure, or JEDI, contract, which Microsoft won in 2019. Microsoft’s winning of the contract has been disputed by Amazon, which sought the contract for itself. and has resulted in a quagmire of lawsuits, acrimony, and public feud involving two of the largest cloud computing providers. Last month, the Defense Department wrote in a memo to Congress that it could abandon the contract if legal battle drags on.
The unfounded allegations in the complaint show how efforts to cast doubt on the integrity of the JEDI contract is now descending to dirty tricks and misinformation campaigns.
The complaint, which has been viewed by Insider, claims Microsoft’s use of motherboards manufactured by China-based Lenovo raises “questions about supply chain security and potential for additional compromise,” as they allegedly failed to pass an internal auditing process. It’s particularly concerning because the Lenovo components are expected to be used in the servers for the JEDI project, it says.
Additionally, it alleges that Microsoft’s main cloud competitors, such as Amazon and Google, have banned the use of Lenovo components in their cloud data centers due to similar security concerns. The complaint is signed with a Microsoft director’s name, which Insider has chosen not to include in this story due to privacy reasons, and who denies being the author of the complaint.
The complaint was filed through Convercent, Microsoft’s own incident reporting website run by its Office of Legal Compliance, which allows anyone, including non-employees, to submit such charges.
According to Microsoft’s spokesperson Frank Shaw, all of the specifics in the complaint are inaccurate and the employee mentioned in the report did not create it. Shaw added that similar false complaints have been shared among other tech reporters and on social media sites, including the anonymous workplace app Blind. The company is currently investigating the matter.
“We believe this is targeted harassment against an employee. The employee denies being the originator of these communications, and we have no reason to doubt this. We investigated and confirmed that all solutions currently shipping to our data centers are FOCI compliant,” Shaw said in an email to Insider, referring to the Foreign Ownership, Control, or Influence security agreement.
Other claims about Lenovo, Amazon, and Google found in the complaint also appear to be false.
Lenovo’s spokesperson told Insider that the company is “aware of the fake complaint,” and that there is “no validity to any of the claims that are made within the fake complaint.”
Amazon’s spokesperson also told Insider it’s inaccurate to say Amazon has banned Lenovo or pulled their servers out of any project. A person close to Google Cloud confirmed to Insider that the claims in the complaint are “categorically false” as well.
Since the lucrative JEDI contract went to Microsoft in 2019, Amazon has repeatedly challenged the decision, calling it a “politically corrupted contract award” rooted in former President Donald Trump’s public feud with Amazon CEO Jeff Bezos, even after the agency reaffirmed its commitment to Microsoft. An updated lawsuit released in December 2020 shows Amazon yet again questioning the Pentagon’s reevaluation process and the Trump administration’s bias against the Amazon Web Services cloud business.
Microsoft’s security details, however, did come under scope in recent weeks following reports of cyberattacks on SolarWinds software that infected thousands of companies and government agencies. Some reports suggested the vulnerabilities in Microsoft software led to the hacking campaign, which Microsoft denied.
Here’s the full text of the fake complaint. Chuck Graham, who the author mentions, is the Microsoft executive overseeing its cloud computing supply chain.
I work for Chuck Graham in the Cloud Sourcing and Supply organization. I wanted to raise a potential security concern related to Mother Boards (MB) we received recently from one of our Systems Integrator (Lenovo). Lenovo is currently in the process of being qualified for MB manufacturing to support our in-region L3 to L11 manufacturing project.
In our hardware teardown process, we found several random components that were not in the bill of materials such as signal couplers, passive components and chipsets that were not authorized by us. They did not appear to be communicating to each other as they were not directly in the main north or southbound lanes but the fact that new components were found raises questions about supply chain security and potential for additional compromise especially as these servers are planned to be used for the Jedi project.
Lenovo manufactures all of their motherboards in their main factory in Hubei province in China. We have learnt recently from our contacts that Lenovo was pulled out of both Google Cloud (Innsbruck project) and AWS (Sasquatch project) for failing security audits at their manufacturing plants and both have banned use of Lenovo servers altogether. I am raising this concern given recent malware issues reported by ZT systems that brought all their manufacturing facilities down, and the more recent Ingrasys security breach that kept their MX facility from being operational. I have raised this concern internally but have not received the right level of focus, hence escalating for a speedy resolution.