If the brief for the contract includes "We believe we may have been compromised by a nation state. Check for us." then checking keyboards and mice is totally reasonable. Some of them incorporate user-upgradable firmware. Given this, turning the keyboard/mouse into an "advanced persistent threat" is an exercise trivially within the capability of garden-variety security consultants. (Ballpark cost: $20k if you get everything scratchbuilt the first time, assuming you've separately rooted one machine to infect the peripheral.)
Nation states can be presumed to have access to garden-variety security consultants, and more elaborate tricks besides.
Yes, even I fell for the "but it's only a stupid mouse!" spin on this story, and I've been shopping for embedded processors recently so you'd think I would know better.
If it has a USB port, it contains a tiny computer. One which is probably more powerful than the Commodore PET I learned computing with. Not that you need that much power to log keystrokes.
Those of us who were brought up in the 20th century can no longer trust our intuition about where computers might be hiding.
A lot of threat models that the USA defends against are perfectly legitimate, because the USA has used them against opponents in the past! e.g. US military and embassies always fly in new equipment from the USA, rather than buying local. Why? Because in the cold war, the Soviets got a local photocopier and local repairmen. The USA had a camera in it and the repairman was a spy. These aren't theoretical attacks to the USA.
In the article it comes across like the contractor was constantly saying 'no, it's all ok'.
It seems to say that he took 2 weeks to do the initial audit and then they got him to do some sort of detailed review of every machine which took months. To which he also then said there was nothing really wrong.
To me it sounds like he just did his job while some crazy, incredibly incompetent CIO kept asking for more.
Right, if it's a mouse that came from the OEM manufacturer and you know it is truly original, it's probably safe. But if there's any way that an outsider could have snuck a loaded mouse into your environment, then the mouse can certainly be setup to attack your system. See note above about The Glitch.