I don't think that would have protected against this attack. I think it was the users' workflow to plug USB drives into non airgapped computers, then into the airgapped computers. So those USB drives would be put on the approved list, and also be used by the attackers.

I guess people forget that SneakerNet is still a network.

Someone who gets it. I work in security and everyone hates me because I add friction and cost. On the flip side, I have a lot of PII to protect.

Would you agree that perhaps executables whose origin is a usb drive should be treated as equivalent to a browser download and unconditionally get a prompt to execute even if it was copied off the usb? I think it’s naive to think that our own security wouldn’t be helped by improving software measures even if it does risk our own offensive capabilities - we have very advanced and well funded adversaries ourselves

Getting the balance between security and usability right is tricky. It doesn’t make sense to have to click yes to trust software when you run it a hundred times a week, pretty quickly you are just clicking and not actually considering the risk. At the same time, for an airgapped systems where updates are rarely installed and the impact is much higher it makes sense to only allow whitelisted software and prompt each time

It does prevent you accidentally running something that you didn't expect to be an executable in the first place as is the case here. I doubt you're running executables off of USB drives hundreds of times a week on air gapped machines.