Chinese Ministry of State Security can inject a coder/sysmin who adds vulnerabilities which are then used for espionage against corporations/governments. The National Security Agency has done things like that in the past, so it is safe to assume the chinese do it to.
Playing devil’s advocate: what should the rest of the world do when using proprietary technology from the USA, given that NSA likes to have their nose in everything?
The software industry needs to adapt to the challenges of a fully digitized world and at the moment things are a bit behind. The first and most important part is to have reproducible builds and core signing, so in cases where the source is available, people should be able to easily trace what’s in the software they’re using and who contributed. I think this is a technical challenge and some software ecosystems are trying to solve it (Go, Rust etc.). The next thing that I would like to see happening is more commercial software licenses that allow making a living from selling software but that give access to the source. I prefer a world where I pay for software and developers can make a living, and at the same time be able to check that the promises that the developer makes are held.
How would code-signing help if NSA arm-twists you into introducing a backdoor in your code? Even for open-source, it is difficult for average-Joe to trace and figure out contributions (its like saying the automobile engine has blueprints available, so everyone should be able to figure out what's wrong). :-)
You know NSA is an American Agency, and America is not China - there is a free enterprise. The only way they can "arm-twist" you is by rules and regulations that every company has to follow. In other words - NSA cannot force you to break the law.
Well Arabia and Russia are starting to force data being processed and stored in their territory by blocking foreign comm-tech. But i don't think that is a solution, that is just digital nationalism driven by fear of espionage and demand for the power of mass surveillance.
What "the world" should do is lobby against nation-states and mega-corps having their noses in everything, because it is a central building block of totalitarianism. Even if the state doesn't go all out authoritarian, it opens back doors that leave people vulnerable to abuse by bad actors.
The rest of the world can (and should) avoid US software if they want do. Playing devil's advocate here doesn't make a lot of sense because no US regime has ever been anything close to CCP.
While it's probably a little easier with a "home field advantage" there's no reason to think they don't do this to stuff built outside of China also. As you say, the NSA does this, and certainly other large nations have institutions that do this as well. It's probably safe to assume all large communications systems are riddled with intentional errors.
They don’t even need to do that. The government can much more easily coerce the existing employees to do things by threatening them or their family members. This is the risk that Chinese employees in the US with family back in China pose to US companies.
Its a play on the whole "they warn about the dangers of supply chain hacks". If asked how they can be so sure that is happening, they say: well we would do it that way.
A proven case? Look at Crypto AG. Sure one might argue the whole company was planted, so it doesn't count ...
Come on, everyone knows this is not about denigrating Chinese people. To have an entire software team located in China puts the product at risk because of the potential interference of the CCP.