[patio11]

If the brief for the contract includes "We believe we may have been compromised by a nation state. Check for us." then checking keyboards and mice is totally reasonable. Some of them incorporate user-upgradable firmware. Given this, turning the keyboard/mouse into an "advanced persistent threat" is an exercise trivially within the capability of garden-variety security consultants. (Ballpark cost: $20k if you get everything scratchbuilt the first time, assuming you've separately rooted one machine to infect the peripheral.)

Nation states can be presumed to have access to garden-variety security consultants, and more elaborate tricks besides.

[mechanical_fish]

Yes, even I fell for the "but it's only a stupid mouse!" spin on this story, and I've been shopping for embedded processors recently so you'd think I would know better.

If it has a USB port, it contains a tiny computer. One which is probably more powerful than the Commodore PET I learned computing with. Not that you need that much power to log keystrokes.

Those of us who were brought up in the 20th century can no longer trust our intuition about where computers might be hiding.

[rmc]

A lot of threat models that the USA defends against are perfectly legitimate, because the USA has used them against opponents in the past! e.g. US military and embassies always fly in new equipment from the USA, rather than buying local. Why? Because in the cold war, the Soviets got a local photocopier and local repairmen. The USA had a camera in it and the repairman was a spy. These aren't theoretical attacks to the USA.