Despite challenges faced by Meta and others, there remains optimism for the metaverse. The PwC 2022 U.S. Metaverse Survey highlights this. The survey, which included over 5,000 consumers and 1,000 U.S. business leaders, shows that half of consumers consider the metaverse to be exciting, and 66% of executives say their companies are actively engaged with it.
Granted, the investments are in the early stages. There are also experiments with various technologies like NFTs (non-fungible tokens), blockchain, crypto, and virtual reality (VR).
The metaverse may ultimately become the next generation of the internet. This could lead to substantial marketing and e-commerce opportunities. There will also likely be many applications for the enterprise; training is one very obvious enterprise use case.
But there will be some tough challenges, and perhaps the biggest is cybersecurity.
“I guarantee that there will be issues,” said Todd McKinnon, the CEO and co-founder of Okta. “If not, then no one would be using the metaverse.”
Despite the challenges and threats generated by the metaverse, experienced tech companies are aware of and working on implementing strategies that will better secure it.
Metaverse Threat Vectors
The true vision of the metaverse does not yet exist. Even Mark Zuckerberg has said the metaverse could take a decade to realize its full potential.
But in the meantime, there are still various security challenges. In terms of the metaverse platform, there will likely be a wide assortment of cutting-edge technologies like artificial intelligence (AI), natural language processing (NLP), sophisticated 3D graphics, high-end sensors, edge computing, blockchain payments, and so on. And these complexities will open up many vulnerabilities.
The first place to look for guidance is from existing metaverse-like platforms.
“We can consider the risks associated with very popular gaming platforms like Roblox and Fortnite, both with tens of millions of players,” said Ismael Valenzuela, VP of threat research and intelligence at BlackBerry.
Based on these systems, there are certain risks to expect for the metaverse:
- Brand Phishing and Malware: According to David Kemmerer, CEO and co-founder of CoinLedger, it’s difficult to regulate virtual environments due to their complexity.
- Identity Theft and Ransomware Attacks: Between impersonation and biometric hacking, augmented reality (AR) and VR have made it easier for attackers to damage the reputation of users, says Aamir Lakhani, cybersecurity researcher and practitioner at Fortinet’s FortiGuard Labs.
- Money laundering. Since the metaverse is likely to rely on cryptocurrencies, criminals can use these environments to hide their activities, which will result in problems with ransomware.
- Disinformation. Governments and terrorist groups can leverage the metaverse to spread propaganda.
What makes the metaverse particularly troubling is the potential impact on the real world. Valenzuela brings up concerns about the dangers of physical harm to virtual users via haptic sensors as well as fraud and threats to children in the metaverse.
Then there are the implications of avatars that look, sound, and act like humans. This is done using systems like generative AI.
“Researchers have found that humans cannot tell the difference between real and virtual faces,” said Nir Kshetri, professor at University of North Carolina-Greensboro. “But there is another point that is perhaps even more important. When the pictures of those fakes and real persons were presented and [rated for] ‘trustworthiness,’ the research participants viewed AI-generated faces to be significantly more trustworthy.”
Securing the Metaverse
The good news for security in the metaverse is that tech companies have lots of experience with building systems. Existing approaches will prove useful, such as single sign-on (SSO), multi-factor authentication (MFA), and endpoint detection and response (EDR). Naturally, of course, there will need to be adjustments to handle the unique aspects of immersive environments.
“Metaverses should implement stronger methods for continuous authentication and access control in all interactions between users, applications, and platforms, rooted in principles of zero trust,” said Ramanath Iyer, chief strategist at Akamai. “Further, given that ease of interaction, use, and adoption in the metaverse will require automated interaction between applications, care should be given to ensure that such interaction is highly secure.
“Lastly, metaverses can be made secure by building security into edge computing platforms, as the edge will play an integral role in enabling composable applications that deliver personalized content in real-time, processing high rates of data at extremely low latency.”
But security will need to go beyond implementing technologies. Because of the interaction of the real and digital worlds of the metaverse, there will need to be rules and order to manage the experience. If not, the environment could easily crumble.
“Many of these activities and decisions in many ways are more akin to policing or governing a city or a county rather than what many people would call ‘security,’ but will be necessary to the success and long-term operation of any of the metaverse platforms,” said Geoffrey Fisher, senior director of integration strategy at Tanium. “Without both the cybersecurity as well as ‘community governance,’ an individual platform is unlikely to be successful and may even gather the ire of regulators given the potential impacts.
“Without a doubt, this will continue to be an area of growth for the cybersecurity and privacy industries, but will also pose new and interesting challenges for the organizations building the platforms to regulate user behavior, activities, and interaction.”
When it comes to security, there will be plenty of surprises with the metaverse. This happened with other internet waves, such as e-commerce. Being proactive with the metaverse will be critical. It will allow for a much stronger foundation.
“Cybersecurity will be necessary to provide a reasonable level of trust and assurance to businesses and consumers before it becomes generally accepted,” said Bob Huber, chief security officer at Tenable. “The industry will have to identify reasonable norms, or the government may step in with regulation.”