- The metaverse is creating a lot of buzz, but questions are already being asked about security.
- This virtual world could present new opportunities for phishing, identity theft and even spying.
- We must use the early days of the metaverse to establish core security principles that will allow people to safely work, shop and play.
Beneath the buzz, the metaverse is arriving in both predictable and unexpected ways.
Some new experiences using headsets and mixed reality will be in your face – quite literally – but other implications will be harder to spot. As with all new categories, we’ll see intended and unintended innovations and experiences, and the security stakes will be higher than we imagine at first.
There is an inherent social engineering advantage with the novelty of any new technology. In the metaverse, fraud and phishing attacks targeting your identity could come from a familiar face – literally – like an avatar who impersonates your coworker, instead of a misleading domain name or email address. These types of threats could be deal breakers for enterprises if we don’t act now.
Because there will be no single metaverse platform or experience, interoperability is also crucial. Trust cannot end at the doorway of a virtual meeting space, for example – it must extend to the interactions and apps within – otherwise security uncertainty will hobble people wondering what to say or do in a new virtual space and create gaps that can be exploited.
Which brings us to the importance of these early days for the metaverse: We have one chance at the start of this era to establish specific, core security principles that foster trust and peace of mind for metaverse experiences. If we miss this opportunity, we’ll needlessly deter the adoption of technologies with great potential for improving accessibility, collaboration and business. The security community must work together to build a foundation to safely work, shop and play.
Securing the Metaverse
So what can we expect — and how can we create a trusted environment in the metaverse?
How is the World Economic Forum ensuring that artificial intelligence is developed to benefit all stakeholders?
Artificial intelligence (AI) is impacting all aspects of society — homes, businesses, schools and even public spaces. But as the technology rapidly advances, multistakeholder collaboration is required to optimize accountability, transparency, privacy and impartiality.
The World Economic Forum's Platform for Shaping the Future of Technology Governance: Artificial Intelligence and Machine Learning is bringing together diverse perspectives to drive innovation and create trust.
- One area of work that is well-positioned to take advantage of AI is Human Resources — including hiring, retaining talent, training, benefits and employee satisfaction. The Forum has created a toolkit Human-Centred Artificial Intelligence for Human Resources to promote positive and ethical human-centred use of AI for organizations, workers and society.
- Children and young people today grow up in an increasingly digital age in which technology pervades every aspect of their lives. From robotic toys and social media to the classroom and home, AI is part of life. By developing AI standards for children, the Forum is working with a range of stakeholders to create actionable guidelines to educate, empower and protect children and youth in the age of AI.
- The potential dangers of AI could also impact wider society. To mitigate the risks, the Forum is bringing together over 100 companies, governments, civil society organizations and academic institutions in the Global AI Action Alliance to accelerate the adoption of responsible AI in the global public interest.
- AI is one of the most important technologies for business. To ensure C-suite executives understand its possibilities and risks, the Forum created the Empowering AI Leadership: AI C-Suite Toolkit, which provides practical tools to help them comprehend AI’s impact on their roles and make informed decisions on AI strategy, projects and implementations.
- Shaping the way AI is integrated into procurement processes in the public sector will help define best practice which can be applied throughout the private sector. The Forum has created a set of recommendations designed to encourage wide adoption, which will evolve with insights from a range of trials.
- The Centre for the Fourth Industrial Revolution Rwanda worked with the Ministry of Information, Communication Technology and Innovation to promote the adoption of new technologies in the country, driving innovation on data policy and AI – particularly in healthcare.
Contact us for more information on how to get involved.
It’s important to remember that history often repeats itself
Technology shifts have a way of seeping in while we’re looking the other way. Consider the fact that real estate booms in virtual worlds aren’t new – coveted dot-com domain names were hot with brokers and speculators in the 1990s.
The early World Wide Web would indeed revolutionize commerce, but it would do so in ways many did not fully anticipate in the 1990s. Meanwhile, the ease of setting up a website also led to a gold rush of fraud with knock-off domains impersonating banks, government agencies and household brand names. These problems persist to this day.
We have seen this cycle play out again and again. When Wi-Fi was first available on laptops, corporate security teams were wary of embracing it. Before long, you could not buy a laptop without Wi-Fi –whether your organization accounted for wireless in security policies, or not.
When the iPhone and Android phones exploded onto the scene, they became a massive catalyst for BYOD (bring your own device) policies in the workplace. Almost overnight, personal devices became a new category and organizations had to catch up. We can logically expect metaverse-influenced features and experiences to arrive at enterprises in much the same fashion.
Let’s learn from these lessons and stay ahead of the curve
We’ve long known that security is a team sport, and no single vendor, product or technology can go it alone in protection. The culture of information-sharing and collaboration in the defender community today has been a monumental achievement that did not happen overnight. Today ISPs, cloud providers, device manufacturers — even industry rivals in these markets — recognize the need to work together on security issues.
Sitting now at the gateway of a new dimension in technology, it’s critical to align on key priorities to help secure the metaverse for generations — and identity, transparency and a continued sense of unity among defenders will be key.
Identity is where intruders strike first
For years fraudsters have claimed to be deposed princes with fortunes to share, or sweepstakes hosts desperately trying to reach you, but the advent of email and text messaging re-franchised these schemes for the digital world.
Play this forward, and picture what phishing could look like in the metaverse. It won’t be a fake email from your bank. It could be an avatar of a teller in a virtual bank lobby asking for your information. It could be an impersonation of your CEO inviting you to a meeting in a malicious virtual conference room.
This is why solving for identity in the metaverse is a top concern. Organizations need to know that adopting metaverse-enabled apps and experiences won’t upend their identity and access control. This means we have to make identity manageable for enterprises in this new world.
Constructive steps include making things like multi-factor authentication (MFA) and passwordless authentication integral to platforms. We can also build on recent innovations in the multicloud arena, where IT admins can use a single console to govern access to multiple cloud app experiences their users rely on.
Transparency and interoperability will be key
There will be many providers of platforms and experiences in the metaverse, and true interoperability can make the gaps between them seamless and more secure — while enabling exciting new scenarios. Think of bringing your virtual PowerPoint presentation into a client’s virtual meeting room, even if it’s operating on a different platform.
Transparency can help enable this every step of the way. New platforms usually run a tough gauntlet once they arrive in enterprises at scale — that is often when security researchers really begin probing code, features and product claims.
Metaverse stakeholders should anticipate security questions and be prepared to jump on any updates. There must be clear and standard communication around terms of service, security features like where and how encryption is used, vulnerability reporting and updates.
Transparency helps accelerate adoption — it speeds the learning process for security.
Have you read?
Our strongest defense is working together
The problems of yesterday’s and today’s Internet — impersonation, attempts to steal credentials, social engineering, nation state espionage, inevitable vulnerabilities — will be with us in the metaverse. And it will take the same security community of good faith, norms and teamwork to anticipate and respond to them.
The strides we’ve made across the tech industry in cooperating against threats as the stakes have risen in recent years remains a cornerstone for security as metaverse platforms and experiences begin to shape the future.
Security researchers, chief information security officers and industry stakeholders also have an opportunity to understand the terrain of the metaverse as adversaries do — and use it to our advantage. Metaverse platforms will likely create and generate entirely new data streams with the potential to improve authentication, pinpoint suspect or malicious activity or even revisualize cybersecurity to help human analysts make decisions in the moment.
As with any new frontier, high expectations, fierce competition, uncertainty and learning on the fly will define how the metaverse evolves — and the same is true for securing it. But we do not need to predict the ultimate impact of the metaverse to recognize and embrace the security and trust principles that make the journey a safer one for all.
Let’s make the lessons we’ve learned about identity, transparency and the security community’s powerful collaboration our top ideals to enable this next wave of technology to reach its full potential.