The new normal is actually very normal:  Punctuated equilibrium, security cycle theory, and the “New Normal”

May 3, 2021 | Chris Mark

In 2020, the world was hit with an unexpected pandemic that changed much of life as many had come to know it.  Virtually overnight, masks were required, employees were working remotely, children were home from school, and businesses were locked down to stop the spread of Covid19.  In reading the news and social media the term “The New Normal” has taken front and center as the image that is being promoted.  FBI statistics show that due to the pandemic and the increase in remote workers, cyber fraudsters have taken a much more active role.  Other criminals are also taking advantage of the situation.  The dire sounding term “The New Normal” seems to suggest that life will be forever changed and we, as humans, will struggle to adapt. What occurred in 2020 was neither “new” nor is it as dire as it sounds.

Punctuated equilibrium is a theory originally developed by paleontologists to explain evolutionary biological change.  It has since been applied to numerous other areas such as Political Science, social theory, technological change, corporate behavior, and organizational theory. In short, the theory posits that policies generally remain static and only change incrementally due to various constraints such as bounded rationality, cultures, and vested interests.  Policy is characterized by long periods of stasis that only change when punctuated by changes in the conditions.  History is replete with examples of punctuated equilibrium changing policy and people’s actions and behavior.  The impact can be found on both a macro level in which the world, and nations, may change and a micro level in which communities, companies, and people are impacted.

In the 14th Century the world was struck by the Bubonic Plague, otherwise known as the “Black Death”, which, per estimates, killed between 25% and 40% of people living in Europe.  Until that time France and England were in a near state of perpetual war, and the English were content with the Feudal system.  After the plague struck, France and England were forced to agree to a truce to their perpetual warring.  It also brought about the end of the English Feudal system and completely changed society and social structures.  Unfortunately, those with more sinister ideas used the plague to commit pogroms against certain ethic groups. 

On June 24, 1914, the heir to the Austrian Throne, Arch Duke Ferdinand was assassinated in the Streets of Sarajevo.  While tensions had been brewing within Europe for years, no country wanted to inflame the situation and a state of tense peace remained.  The assassination, however, proved to be the proverbial straw that broke the camel’s back and thrust Europe into one of the costliest and deadliest wars in history.  This war, in turn, changed the entire world and resulted in new countries being created and others subsumed. 

While Europe raged with war between 1914 and 1915, the United States maintained an isolationist posture and did not enter the war.  Certainly, there were some efforts to provide materials and support, but the US took a laisse fair approach to the War in Europe and did not want to intercede.  That all changed on May 7, 1915 when a German U Boat sank the RMS Lusitania resulting in the loss of 128 American lives.  This resulted in a chain of events in which the US finally entered the war in 1917 and helped bring closure to the War in 1918.  The end of WWI resulted in the first attempt at organizing a community of nations to prevent conflict.  The result was the pre-cursor to the United Nations known as the League of Nations.

Prior to December 25th, 1991 the World was in relative state of peace due to the bi-polar cold war structure between the world’s largest superpowers; the Soviet Union on one side and the United States on the other.  The 241 countries in the world in 1991 generally were either aligned with the Soviet Union or the United States.  Both sides essentially stated “you are either with us, or against us”. This model kept the world in a state of relative peace (ignoring proxy wars) through détente as neither side wanted an escalation that could result in a global conflict. On that fateful Christmas night in 1991, the Soviet Union collapsed. 

This event resulted in a new world order in which the bi-polar cold war structure was immediately rendered irrelevant and a multi-polar structure evolved with numerous countries asserting influence.  In the new world order, regional powers began emerging and staking claim to regional hegemony and asserting their new-found freedom. Unfortunately, rogue actors also arose giving rise to increasing tensions throughout the world. 

Less than 10 years later, on September 11th, 2001 terrorists attacked the World Trade Center in New York City.  Prior to this attack, US policy and US Defense and security strategy was relatively stable and the US policy toward Al Qaeda, the Taliban and Afghanistan was static.  The changes implemented after the attack are still felt today, over 20 years later.  Consider travelling by airline. Prior to 2002, there were few metal detectors in use at any airports. Visitors could walk with travelers to the gates.  Prior to the attacks, there were only 33 active US Air Marshalls assigned to protect tens of thousands of flights per day.  In the month after 9/11, the US Government hired and trained 600 Air Marshals and there are currently an estimated 4,000 on active duty.

These examples are only a small sample of the hundreds, if not thousands, of examples of punctuated equilibrium and the effects that exist throughout history.  Within industries, and companies punctuated equilibrium has an equal effect.  This is seen by the changes being experienced in cybersecurity that is being coined the “new normal”.  The initial event that caused the changes was the Covid19 pandemic which led to the changes mentioned in these blog posts.  Criminals, being adaptive, and rational actors, saw the changes and adapted their own behavior and attacks to take advantage of new vulnerabilities that were introduced.

Numerous self-proclaimed experts have taken exception with companies being victimized within the new pandemic working environment.  The increases in cyber fraud being perpetrated led one author to state that definitively that we don’t care about security enough.  This rather parochial statement ignores the larger conditions such as threat adaptation and the defense/security cycle theory.  It should be noted that while cyber fraud has increased due to the large number of remote workers, home burglaries have subsequently reduced for the same reason. In fact, crime overall, is down significantly.  During the first month of the Covid lockdown it was down 23% and has continued to remain lower than normal.

According to the Department of Homeland Security’s Security Lexicon, Adaptive Threats are defined as:

“…threats intentionally caused by humans.” It further states that Adaptive Threats are: “…caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, and recovery measures taken.” 

If one considers the huge number of employees that were forced to work at home on very short notice, it is easy to understand how threat actors would seek to gain advantage of the reduced security.  While some may argue that there should have been sufficient security for work at home employees, this position is simply not accurate. Some companies were forced to send tens of thousands of employees home virtually overnight.

The concept of threat adaptation is directly linked to the defense cycle theory which, in the context of security is called the security cycle theory.  A threat actor launches an attack.  In response, companies improve their security to address the new threats.  As defenses improve, threat actors change their tactics and techniques to adapt to the changing controls.  As the threat actor improves their capabilities the defensive actors necessarily must change their own protections.  This cycle continues ad infinitum until there is a disruption.  The important point when considering the current environment is that defense/security is always reactive.  While organizations try their best to be pro-active, threat actors adapt forcing the defenses to respond, in kind. 

attack secure cycle

As can be seen in the examples provided above, the “new normal” may be ‘new’ in the sense that changes will be made (and have already) to working conditions and security implementations but it is not new in the sense that the pandemic is not the first time an event has punctuated the equilibrium of the system bringing about changes.  While cyber criminals have found an opportunity to take advantage of new vulnerabilities introduced by the increased number of work-at-home employees, companies are responding, in kind.  Security will improve and we will again reach a state of stasis.  Of course, the criminals will simply look for new ways to exploit organizations and it will continue ad infinitum.

Chris Mark

About the Author: Chris Mark

Chris Mark is AT&T Cybersecurity’s PCI National Practice Director. He is an experienced security professional with over 25 years of experience in physical, operational and cyber domains of security. Chris is one of the original authors of the CISP and PCI DSS and has audited and consulted with over 100 large and complex organizations. He is a frequent public speaker on various security related topics. He has been interviewed on CNN, FoxNews, NPR, and NBC and has published scores of articles in periodicals such as SC Magazine, The Counter Terrorist, Credit Union Times, Secure Payments, Transaction Trends, and National Review, among others. Chris has a BA, MBA and is completing his dissertation for his doctorate in cybersecurity. He is a former enlisted Marine and Navy Officer combat veteran.

Read more posts from Chris Mark ›

‹ BACK TO ALL BLOGS

Get price Free trial