It happens – Every. Single. Time.

There’s some sort of future impacting development or thesis in the technology landscape that presents completely unforeseen cybersecurity challenges. Please note that I did not say “unforeseeable” – I said unforeseen. A great example of this is the advent of e-commerce prior to the existence or enforcement of a security standard that parties in the payment chain should use to handle data that is inherently prone to financial fraud. In 1994, people began selling goods and services, and accepting payment data over the internet. In contrast, the first iteration of PCI-DSS (Payment Card Industry Data Security Standard), which was then called CISP (Cardholder Information Security Program) showed up nearly a decade later.

Maybe it was because people didn’t honestly believe that the internet would be a fundamental aspect of every day life or that buying things online was the future, so “why bother”, but if we’re being honest, it’s for the same reason that it always has been and likely always will be:

Security is an Afterthought to Most People Who are not practitioners.

If you work in the space, you’ll know exactly what I am talking about. “The business is first, and cybersecurity is a close second” is something that I’ve heard more times than I care to count. It’s also wrong. There isn’t a priority order to security that puts it ahead of or behind commerce. It is an integral part of any product or service that you’re developing with an intent to launch publicly. I honestly can’t believe I’m still saying this after this many years doing this, but here we are.

So, instead of doing what we’ve always done, and become de-facto incident responders, let’s think through some of the challenges with “the metaverse” that might present themselves.

What IS The Metaverse?

There are plenty of articles on what people think the metaverse is going to be – like this one at wired that does a pretty good job at examining current messaging by facebook and others. Here are a few observations about the definition of a “metaverse.” :

  1. We don’t know what its going to be precisely, but rest assured that some of the biggest companies in the world want you to have it, so you’re probably going to have it.

  2. It involves augmented reality (AR) and/or VR (virtual reality) tech combined with online communities. Think “I’m in my oculus. You’re in your oculus. We are in Oahu.”

  3. It definitely involves commerce. There would be no business reason to do it otherwise. So, you’re going to be buying things. Think “I’m in my oculus. You’re in your oculus. We are in Oahu. You buy us virtual surfing lessons. We are now literally web 3.0 surfing.”

  4. The metaverse will certainly include business to business functionality. The trend of wanting to “kill email” that started in the late 90s and was reinforced by slack will probably result in some new thing that looks like MMS and attempts to create efficiencies in simple comms that “make stuff happen faster.” Apple’s widgets in combination with services like Apple Pay are a good example of what this might feel like. Think “I’m in my oculus. You’re in your oculus. We are in Oahu. You buy us virtual surfing lessons. We are now literally web 3.0 surfing. I reimburse you for these lessons by blinking 3 times and waving my hand.”

  5. Third party developers will write LOTS of software – Metaware if you will. Think ““I’m in my oculus. You’re in your oculus. We are in Oahu. You buy us virtual surfing lessons. We are now literally web 3.0 surfing. I reimburse you for these lessons by blinking 3 times and waving my hand. Why is this surfboard accessing my coinbase wallet?”

  6. Crypto will probably play a pretty big role, and NFTs will likely become objects that you need in order to accomplish tasks in the metaverse. Think ““I’m in my oculus. You’re in your oculus. We are in Oahu. You buy us virtual surfing lessons. We are now literally web 3.0 surfing. I reimburse you for these lessons by blinking 3 times and waving my hand. I like this surfboard and I wish to own it permanently.”

So while we don’t KNOW for sure what the future holds, we can take a pretty good guess at what we’re in for, where the inherent, obvious vulnerabilities will be, and which disciplines in security are going to matter most.

Cyber Focus Areas That Will Matter in The Metaverse

  1. Application Security

    The metaverse experience will be application driven, combining content with local application functionality. The large players will want you exclusively in their platforms, and they have their own advanced appsec teams, so maybe there’s not a ton to worry about here. There will however be tons of small, innovative startups who do something so cool that everyone absolutely must have it, and some percentage of them will not know anything about appsec. This is a likely vector of attack.

  2. Secure Storage

    I’d love to tell you that I think the days of mass data dumps that occur because “performance trumps security” are behind us, but I would be joking. Companies and people will be buying digital objects in this thing, just like they buy app plugins for slack etc. Again, large security teams that are assigned to a specific product group will likely do a pretty good job here, but the potential for everything you’ve ever done in a specific meta app or “experience” becoming public is significant.

  3. Hardware Security

    The devices themselves (goggles, gloves, full body goo computer, whatever) will contain code. That code will contain bugs. Some number of those bugs will be exploitable. Some of those exploits could end up being quite harmful to individuals or corporations.

The Ask – Can We Please Start Talking About This?

I’m not suggesting by any means that this is a comprehensive look at this problem. The point of this post is that I think we should be talking about metaverse security models that will work as a part of the discussion. Even though it took a long time, and it was largely afterthought, we have done this for every other aspect of infosec. I’d just like to start a little earlier this time around.