Pentagon Staff Used DeepSeek’s Chatbot Before Block

My Privacy Blog

My Privacy Blog

6 min read
Pentagon Staff Used DeepSeek’s Chatbot Before Block
Photo by Clem Onojeghuo / Unsplash

US Defense Department employees accessed a Chinese AI startup's chatbot for two days before cybersecurity officials blocked the service, raising questions about foreign technology vulnerabilities in sensitive government networks1. The incident occurred despite growing concerns about Chinese tech companies' data practices and potential intelligence risks.

Incident Timeline and Response

Employees connected Pentagon work computers to servers operated by Hangzhou-based DeepSeek between January 28-30, 2025, to test the company's newly launched AI assistant1. The Defense Information Systems Agency (DISA) disabled access to DeepSeek's platforms on January 30 after identifying the unauthorized connections1.Key details:

  • Access occurred through standard web browsers on government-issued devices
  • No classified systems were reportedly compromised
  • DISA implemented network-wide blocks rather than individual user restrictions

Security Implications

The event highlights persistent challenges in monitoring employee technology use within secure networks. While DeepSeek maintains it doesn't store user data, defense analysts note that any interaction with foreign-operated AI systems creates potential vulnerabilities1.

"Every query processed through these systems could reveal operational patterns or strategic priorities," said a cybersecurity specialist familiar with the investigation.
Global AI Regulation Wave: How Italy’s DeepSeek Ban Triggered a Worldwide Scrutiny of Chinese AI Models - Germany/ Netherlands/Taiwan
DeepSeek, the Chinese AI startup behind the viral DeepSeek-R1 reasoning model, faces escalating global scrutiny as regulators worldwide raise concerns over data privacy, cybersecurity, and compliance with local laws. Following Italy’s decisive ban, multiple countries and organizations have launched investigations or imposed restrictions, signaling a tightening regulatory environment for
Compliance Hub WikiCompliance Hub

Broader Context

This incident follows:

  • 2024 Pentagon directives limiting cloud service providers to US-based companies
  • Increased scrutiny of AI tools after ChatGPT-related leaks at other agencies
  • Ongoing congressional debates about foreign technology in critical infrastructure

The Defense Department has not disclosed whether the access was intentional or accidental, nor confirmed if any disciplinary actions followed1. Cybersecurity firms report detecting a 37% increase in attempted connections to foreign AI services from US government IP addresses since 20231.

Italy’s Privacy Watchdog Blocks DeepSeek AI: A GDPR Battle Begins
The Italian Data Protection Authority (Garante) has issued an emergency order to block DeepSeek AI from processing the personal data of Italian citizens, effectively halting the company’s operations in Italy. This decision underscores Europe’s ongoing struggle to enforce GDPR compliance on foreign AI companies that claim immunity from
Compliance Hub WikiCompliance Hub

Ongoing Developments

DISA engineers are conducting forensic analysis to determine the full scope of interactions with DeepSeek's systems1. The agency plans to brief congressional oversight committees later this week about the incident and proposed countermeasures1.This breach underscores the tension between workforce demands for cutting-edge AI tools and national security imperatives in an increasingly competitive technological landscape.

What are the potential security risks of connecting work computers to Chinese serversEdit Query

Connecting work computers to Chinese servers introduces significant cybersecurity risks rooted in legal, technical, and geopolitical factors. Below is an analysis of the primary concerns:

Global AI Law Snapshot: A Comparative Overview of AI Regulations in the EU, China, and the USA
As artificial intelligence (AI) continues to revolutionize industries worldwide, governments are racing to establish legal frameworks to regulate its development, deployment, and risks. The European Union (EU), China, and the United States (USA) have each taken unique approaches toward AI regulation, reflecting their economic priorities, governance philosophies, and risk mitigation
Compliance Hub WikiCompliance Hub

Under Chinese law, companies must comply with government intelligence and security requests:

  • National Intelligence Law (2017): Requires Chinese entities to assist state intelligence efforts119. This could compel server operators to share foreign user data with authorities.
  • Cybersecurity Law (2017) and Updates: Mandates data localization for certain industries and grants government access to network systems for "security inspections"15. Foreign businesses using Chinese servers may lose control over proprietary or sensitive data.
"China's legal framework creates an environment where data can be requisitioned without user consent or transparency," notes a cybersecurity report1.

2. Backdoors and Hardware Vulnerabilities

  • Encryption Chips: Chinese-made hardware, including encryption modules, may contain undetectable backdoors for surveillance2. For example, vulnerabilities in telecom equipment have enabled state-linked actors to infiltrate global networks19.
  • Software Updates: Chinese firms must report cyber vulnerabilities to regulators before patching them, creating opportunities for exploitation1. A 2024 CloudStrike-like incident involving a Chinese software update caused global IT disruptions costing up to $10 billion1.

3. Data Exploitation Risks

  • AI Training: Data transmitted to Chinese servers could train AI models for military or surveillance purposes. DeepSeek, for instance, collects keystroke rhythms, IP addresses, and device details36, which might reveal behavioral patterns or operational priorities8.
  • Influence Operations: Aggregated user data could fuel targeted disinformation campaigns or phishing schemes38.

4. Network Compromise

  • Supply Chain Attacks: Chinese servers or software dependencies (e.g., firmware) might introduce malware into corporate networks. The Pentagon incident revealed employees inadvertently connected work devices to DeepSeek’s servers for days before access was restricted418.
  • Third-Party Risks: Even encrypted data stored on Chinese servers remains vulnerable to lawful interception during processing or via compromised third-party vendors213.

5. Compliance and Operational Challenges

  • Data Localization Laws: China requires certain data types to be stored domestically5, complicating compliance with regulations like GDPR and exposing firms to conflicting legal demands.
  • Audit Requirements: Foreign companies face mandatory security audits, potentially revealing proprietary IT infrastructure details to Chinese regulators513.

Mitigation Strategies

To reduce exposure:

  • Avoid Chinese-made encryption hardware and cloud services for sensitive operations.
  • Implement network segmentation to isolate devices connecting to Chinese servers.
  • Conduct regular audits of third-party vendors for compliance with international data standards.
  • Use VPNs and zero-trust architectures to limit data leakage risks10.

The Pentagon’s scramble to block DeepSeek underscores the urgency of addressing these threats in an era of escalating U.S.-China tech competition1518.

DeepSeek Reports Major Cyberattack Amid Rapid Growth
On January 27, 2025, Chinese artificial intelligence startup DeepSeek announced that it had experienced “large-scale malicious attacks” on its services, leading the company to temporarily limit new user registrations. Existing users remained unaffected and could log in without issues. Reuters This cyberattack coincided with a surge in DeepSeek’s popularity, as
Breached CompanyBreached Company

How did the Pentagon discover that employees were accessing DeepSeek's chatbot

The Pentagon discovered employees were accessing DeepSeek's AI chatbot through a combination of network monitoring tools and internal security protocols. Here's how the situation unfolded:

Detection Mechanisms

  1. Network Traffic AnalysisThe Defense Information Systems Agency (DISA) identified unauthorized connections to DeepSeek's Chinese servers through routine monitoring of outgoing traffic from Pentagon devices. This included tracking IP addresses and server destinations27.
  2. Persistent Access AttemptsSome employees continued accessing DeepSeek even after DISA implemented initial blocks on January 28, 2025. Repeated connection attempts triggered additional alerts, prompting a full network-wide block by January 3026.
  3. Retroactive Code ReviewCybersecurity teams discovered earlier downloads of DeepSeek code from fall 2024 during a post-incident audit. At the time, the Chinese affiliation wasn’t flagged due to incomplete threat intelligence68.

Catalysts for Action

  • Data Governance Policies: DeepSeek’s privacy policy—explicitly stating data storage in China under Chinese law—violated Pentagon protocols restricting foreign cloud services210.
  • Third-Party Alerts: Cybersecurity firms like Armis and Netskope reported surging corporate requests to block DeepSeek, highlighting broader industry concerns about data leakage10.
  • Internal Correspondence: Military branches like the Navy issued explicit warnings after identifying DeepSeek usage in internal communications, citing "potential security and ethical concerns"35.

Ongoing Investigation

DISA is conducting forensic analyses to determine:

  • Whether access was intentional or accidental
  • The scope of data transmitted to Chinese servers
  • Potential vulnerabilities introduced by earlier code downloads68.

The incident underscores challenges in balancing workforce access to cutting-edge AI tools with stringent national security requirements79.

Read more