This is about giving chinese nationals root access
Not how software development works. I don’t have root access to every production system because I can submit pull requests to a Dev instance of the code.
It’s actually terrible opsec
One of the principles of FOSS is that you shouldn’t need security through obscurity. Knowing how a system works won’t compromise its integrity if the security protocols are sound. Having third parties participate in a project shouldn’t compromise the project if the lead developers are doing proper code review and QA. A system that is predicated on being a black box to a hostile government in order to maintain security is rigged for failure.
But, more importantly, the idea that a foreign government can only obtain information on the inner workings of a system when people of that national origin work on the project is severely shortsighted. Do you genuinely believe there aren’t significant numbers of domestic American developers of European ancestry who wouldn’t happily sell access to a foreign government for the right price? Do you genuinely believe there aren’t numbers who could be gulled into exposing the inner workings of their software inadvertently?
Nothing about Hegseth’s complaint improves operational security. He’s hinging his whole worldview on the notion that every other white person at Microsoft is as much of a nationalist as he pretends to be.
Again, working on a codebase doesn’t give you access to the production systems. Neither does being Chinese affect whether you are a reliable third party contractor.
If the workers were supervised and the supervisors were competent, there was no real security risk. Both of those are the big “Ifs” though. And that’s why doing layers of outsourcing creates risks regardless of who you’re outsourcing to.