Online security

Metaverse security: how to learn from the mistakes of Internet 2.0 and build secure virtual worlds

Image: ipopba/Adobe Stock

As the building blocks of virtual worlds take shape, leaders in technology, business, and government must simultaneously tackle issues of trust, security, and safety. Web 3.0 is a chance to shape these worlds based on lessons learned from past mistakes.

Meta’s Mark Zuckerberg talks about the “metaverse” as if there is only one virtual world to visit. The reality is that there are already multiple metaverse worlds open for business, and it’s by no means certain that a single company will rule them all.

It’s clear to James Arlen, CISO of database-as-a-service company Aiven, that building secure metaverse worlds isn’t a zero-sum game with one winner and many losers. It’s much more of a Nash equilibrium situation, which means that each player must consider the decisions of other players when setting their own strategy.

“If everyone loses a little, everyone wins,” he said. “It can be a model where everyone wins if we do things for each other.”

Technology and policy pundits see several issues that need to be addressed as virtual worlds become more common:

  • Troubleshoot existing infrastructure issues
  • Improve online identity management
  • Establish a shared code of conduct
  • Define trust and security policies for virtual worlds
  • Determine who has the authority to enforce these policies

Tiffany Xingyu Wang, director of strategy and marketing at content moderation firm Spectrum Labs, said ensuring a safe environment will be a basic requirement for all virtual worlds.

“Trust and security are essential to the survival and success of any metaverse,” she said. “4chan will occur in the metaverse if there is no railing.”

A persistent and continuous environment such as a metaverse could amplify the frequency and intensity of harassment, according to Wang.

“With Facebook, you close your laptop or the app to leave, and it’s not like you’re constantly there,” she said. “The Metaverse is immersive and multi-sensory, which makes the impact much greater. The time to toxicity is much shorter.

In addition to establishing basic rules of conduct, virtual worlds will need laws to govern financial transactions and legal issues such as intellectual property rights. Navrina Singh, CEO and co-founder of Credo AI, said governance issues need to be addressed in the real world now to keep consumers safe in the metaverse.

“By diving headfirst into the metaverse with a lack of AI oversight, companies are exposing their customers to risks like identity theft and fraud,” Singh said.

Image: Jim Ingka/Adobe Stock

Ahmer Inam, Director of AI at PacTera Edge, also thinks the Metaverse needs a governance and regulatory framework.

“One would hope that corporations could self-govern, but that hasn’t really proven, so these rules would have to be enforced and mandated by the public sector,” he said. “Entities that monetize engagement so far haven’t really shown a sense of social responsibility about the impact of this technology.”

These are just some of the issues technology leaders and government officials need to address to begin building the metaverse with more security and stronger codes of conduct than we have with Web 2.0. Here’s a look at what it would take to fix lingering technology issues, address new ones, and establish virtual rules of the road now before the crashes start.

Building on fragile foundations

Arlen sees the recent discourse on the metaverse as an “everything old is new again” situation. Layering a new UI on top of an existing infrastructure brings all the strengths and weaknesses of those familiar building blocks. Aiven is a database-as-a-service platform that provides access to established and emerging database technologies for new and established businesses.

“As you venture into this new UI, the items underneath are still servers and data centers,” he said. “And when you think about the implications of revamping stuff that’s already known to be crappy….”

Virtual worlds add another layer of abstraction to the technology experience, which means losing some of the context for lower layers, Arlen said.

He also sees issues with the idea of ​​authenticity for individuals and how authenticity and authentication come together in virtual worlds.

“We know today that we’re bad at federated identity, and we’re really bad at good-quality authentication,” he said. “Look how we currently lack a meaningful way to cryptographically prove that my ID on LinkedIn, Twitter, and Facebook is the same human.”

The other side of the coin is the issue of anonymity and safety, for people who can be targeted if they have to use their real identities online, such as dissidents and social justice activists.

“Now we’re down to real name politics,” he said. “All of these things intertwine in weird ways.”

Simply layering a different user interface on top of existing technology isn’t the problem, he said, rather it’s the implications that matter.

“The most salient point is that we can’t predict what this is going to do to us until we do it,” he said.

Image: Дмитрий Киричай/Adobe Stock

Identify risks

Any metaverse faces two basic sets of security issues:

  1. Familiar challenges technologists have faced for decades
  2. Brand new builds specifically for a metaverse environment

Some of the security risks in the metaverse and cryptocurrency are familiar risks involving false identities and false promises. Bad actors sell NFTs then disappear with the profits before hitting anything or they inflate the value of a coin then cash out their shares. These mat scams accounted for a large portion of the $361 million lost to decentralized finance hacks in the first half of 2021.

Then there are issues specific to virtual worlds:

Cisco Talos researchers Nick Biasini, global head of Cisco Talos Outreach, and Jaeson Schultz, technical manager at Cisco Systems, said the biggest problem with both is that there is no recourse if someone gets scammed in a virtual world.

“There are only a few places where you can lose $1 million and not be able to do anything about it,” Biasini said.

Schultz said another issue is defending intellectual property.

“People knock NFT images of characters that aren’t their intellectual property,” he said.

“Irrational gold rush fever” is also behind many scams, especially with NFTs, Schultz said. “You have a huge number of people who have FOMO with cryptocurrency, and they’re jumping with whatever they have.”

Establish a set of shared rules

Internet network security concept with person using laptop on chair

The two Cisco Talos security experts agreed that securing virtual worlds will require collaboration between businesses and governments. At the moment, there is no single metaverse. There are many virtual worlds of all shapes, sizes and access mechanisms. Interoperability will be an issue in these virtual worlds, which will also work better with a shared code of conduct.

“We’re going to need these companies working together to create some sort of standard in these worlds,” Biasini said.

“The struggle today is: are we going to have Facebook running in god mode and running the show, or are we going to have a truly democratic shared metaverse where everyone has a level playing field?” Schultz said.

Biasini said there will also be concerns about acquisitions.

“It’s entirely possible that someone like Facebook will build a metaverse and then buy some of the smaller ones and bring them in,” he said.

Schultz said metaverse managers could use some of the techniques from the early days of email.

“You could keep track of people who are bad actors and create blocklists to exclude them from our networks,” he said.

The public nature of blockchain transactions provides another way to identify bad actors and pressure legitimate actors to ban criminals.

“At the end of the day, criminals have to get money somewhere, and law enforcement can track money from those wallets and track people who commit crimes,” Schultz said.

The idea of ​​creating a domain authority also applies to cryptowallets. Wallets that are 10 minutes old instead of five years old will be treated with a great deal of skepticism, as will suspicion about newly created domains.

“You’ll want a provenance for the wallets you accept into your world,” Biasini said. “Novelty will not help you in any way.

Biasini also expects more traditional controls to extend to metaverse transactions as well.

“If you’re going to move 10,000 in crypto, people are already talking about removing names and other information, just like we do with fiat currency,” he said.