The companies denied the allegations, and Chinese officials have said the government is not responsible for cyberattacks on U.S. companies. China claims its government entities and companies are also increasingly under attack.
Nevertheless, the threat of the U.S. government buying equipment with spyware is real, experts say. Such malware could be buried in hardware and move information to a command-and-control server.
"What that boils down to is a piece of malware executed at a level below the operating system, where it is virtually undetectable by just about every cybersecurity product on the market today," Henry said. "There is some amount of doubt in the security community about whether this sort of attack is even practically possible, but I assure you, it is."
At the Black Hat conference in 2006, Joanna Rutkowska, founder and chief executive of security researcher Invisible Things Lab, demonstrated a proof-of-concept rootkit (http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html) that could be embedded in IT equipment.
Sign up for CIO Asia eNewsletters.