Forget what the metaverse might be like, there are more important questions
Securing the metaverse must be the first item on the docket, says Cisco Talos
‘The metaverse’ is a term that has been bandied around with great enthusiasm by some of the world’s largest technology companies of late, but the concept remains relatively ill-defined.
If you ask Meta (née Facebook), the metaverse will be a series of interconnected virtual spaces where people gather to work, socialize and play. These cloud-based environments will either be accessed via virtual reality headsets, or otherwise projected onto the physical world.
Microsoft, meanwhile, describes the metaverse as a “persistent digital world that is connected to many aspects of the physical world, including people, places and things”. The company says it thinks of the metaverse as “both a new medium and an app type” that is novel in the same way the internet was back in the 1990s.
If you’re still none the wiser, you’re not alone. The metaverse is still very much under construction; its constituent technologies already exist, but the full picture won’t take shape for many years to come.
However, according to the threat intelligence unit at networking company Cisco, what exactly the metaverse will look like should be a secondary consideration - the first priority must be to secure it.
“The term ‘metaverse’ implies there is a coming revolution in the way we use the internet and interact with one another. However, we need to be aware of the possible negatives,” warned Martin Lee, EMER Lead at Cisco Talos.
“We’re dealing with a new version of the Wild West here; it’s very exciting, but equally dangerous from a cybersecurity and data privacy perspective.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Move fast and (try not to) break things
Historically, the most successful technology businesses have been those unswerving in their commitment to the “move fast and break things” mantra, coined by Mark Zuckerberg himself.
The problem with this approach, claims Lee, is that product-focused technologists often leave in their wake a minefield of cybersecurity and data privacy problems, just waiting to be exploited by cybercriminals.
“This has been an issue in software development for years; security is too often an afterthought,” he told TechRadar Pro. “And every time there has been an evolution in the way we communicate, it has brought out the dark side of human nature too.”
“The scammers and fraudsters of this world have time and again demonstrated their capacity for innovation. They have always been keen to adopt new platforms, which provide a new forum for criminal business models, and there’s no reason to believe the metaverse will be any different.”
According to Lee, the first step is to raise awareness of the potential threats among regular users. An informed public is better equipped to recognize an attempted fraud and make decisions about which facets of the metaverse to participate in.
Second, he says it’s important to demand that security is baked into the equation from day one of development. Given most pundits think the metaverse won’t come to fruition for many years yet, there should be plenty of runway to make this happen.
In practice, however, securing the metaverse from its conception may prove difficult. Given this series of virtual environments is unlikely to be owned or governed by any single entity, and given the likelihood cryptocurrency will play a role in transactions between metaverse constituents, identifying who is responsible for preventing fraud and cyberattacks will be no simple matter.
Presented with this conundrum, Lee conceded that it’s not a problem society has yet figured out how to solve. The internet was created three decades ago, he noted, and it’s still non-trivial to determine who is responsible for policing a digital crime, because the internet “in many ways transcends national borders”.
“In the physical world, we have governments, law enforcement and courts where we can take disputes,” he said. “So when these new metaverse environments are created from scratch, it will be important to clarify who is policing them and what recourse users have when something goes wrong.”
Identity in the metaverse
Another crucial part of securing the metaverse will be establishing a robust system for identity verification. In a world in which everyone is represented by an avatar, identity fraud could become all the more pervasive and dangerous.
“In the real world, we have identities and consequences for our actions that affect our personal reputation, but that real-world identity is decoupled in a virtual environment,” Lee told us.
“In the metaverse, you won’t know whether people are who they say they are, or whether they are trustworthy. The issue of who is who in these virtual worlds is yet to be resolved.”
In addition to spear-phishing attacks and financial fraud, it’s easy to imagine how difficulties with clarifying identity in the metaverse might be used for catfishing or stalking purposes.
It is also predicted that people will attach cryptocurrency wallets to their metaverse avatars, which Lee describes as a “gift for the bad guys”. And non-fungible tokens (NFTs) are expected to play a major role too, perhaps in the form of digital items of clothing, which will create opportunity for further scams.
Public blockchain, the technology that underpins both cryptocurrency and NFTs, is maintained and operated by no single entity. This is useful for anyone worried about the dangers of centralized power and single points of failure, but not so useful when it comes to addressing wrongdoing.
“If you’re engaging in the exchange of value in one of these environments, what are you going to do when the other party doesn’t fulfil their end of the bargain? When you hand over cryptocurrency but receive nothing in return?” Lee asked.
“We have already seen evidence of digital goods being counterfeited and large thefts from cryptocurrency wallets, and we certainly envisage these sorts of scams happening in the metaverse too.”
With regards how these problems might be addressed, Lee reiterated the importance of educating consumers so they are better equipped to protect themselves. But end users have never been particularly good at looking after their own interests. For example, despite repeated warnings about the dangers of simple and duplicate passwords, many people are still guilty of terrible password hygiene.
Solutions like multi-factor authentication may go some way to shielding against phishing and fraud in the metaverse, Lee says. Another option is to mandate biometric authentication, which would drastically reduce the opportunity for impersonation-based attacks. But this would require people to be willing to sacrifice either convenience or their biometric data for the sake of security.
Cost-benefit analysis
For someone who spent the duration of our conversation methodically setting out the dangers associated with the metaverse, Lee is surprisingly sanguine about the value it could deliver.
Asked whether he thinks the companies positioning themselves as architects of the metaverse (Meta, Microsoft, Google etc.) can be trusted to build out this new medium in a responsible manner, Lee declined to comment. But he did express a level of enthusiasm about the possibilities the metaverse represents.
“Generally, I’m optimistic about where this is heading,” he told us. “These virtual worlds will be full of opportunity and have the potential to have an enormous positive impact on our everyday lives.”
“Of course, there are also costs. As the metaverse evolves, it will be about minimizing the potential for abuse, by improving the level of awareness among consumers and applying pressure on the companies responsible for building it.”
The proclivity of technologists to prioritize product over security is next to impossible to extinguish - at least to some extent, it’s the reason for their success. However, if end users demand their security is taken seriously, Lee suggests, technologists will have no option but to take notice.
- Shield against security threats with the best antivirus services around
Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.