Occasionally, a virus creeps into some piece of hardware or software, but that’s because of shoddy manufacturing or just honest mistakes (it’s for this reason that every piece of software that Microsoft releases goes through a multi-engine virus check).
The supply chain is not inviolate, and there is a cyber security risk. However, there have been very, very few — if any – reports of malicious software being embedded maliciously into imported hardware.
I’m not going to be a pollyanna and say it can’t happen. But there’s a difference between “it could happen” and “it has happened”.
If you want to understand where this all comes from, it’s from a short exchange between Representative Chaffetz (who clearly believes this is happening daily) and DHS National Protection and Programs Directorate Greg Schaffer.
Schaffer actually missed the original question, and then, appearing a bit flatfooted, answers in the affirmative, and then Chaffetz states rhetorically that this is a problem. You can see the exchange for yourself at the 51 minute mark.
From this pebble we get a mountain?