metaverse

Although the metaverse may still seem like an undefined concept to many, like everything else touched by technology it will need security—likely a lot of it.

Subscribe to the Crunchbase Daily

While the metaverse promises a new in-depth virtual experience that could change the way we work, play and, in general, interact with each other, its reliance on virtual and augmented reality, digital devices and different digital social platforms may have implications for a variety of security concerns from hardware in a headset to personal data privacy issues.

“When it comes to security, there is always kind of an echo created by something new,” said John Funge, managing director at cybersecurity foundry and investment firm DataTribe. “It’s like a boat goes through and leaves cybersecurity issues in its wake. It seems like (the metaverse) will create a new attack surface, but it’s still unclear.”

Infrastructure of the metaverse

Technologies that secure the metaverse’s needed IT devices and accompanying firmware are the most obvious areas for cybersecurity.

With its seeming dependence on VR headsets, securing those devices could become more important than securing phones—an industry that created large companies like AirWatch and MobileIron just less than a decade ago.

“You could see a new round of investment when it comes to IoT security,” Funge said.

IoT security went through fits and starts in recent years when it came to venture dollars and dealmaking. Perhaps not coincidentally, just last week Palo Alto, California-based Armis Security, one of the largest companies in IoT security, closed a $300 million private equity round—nine months after it raised $150 million—at a $3.4 billion valuation.

On the dealmaking side, a company that likely has eyes for the metaverse and also has been quite active recently collecting IoT security technologies is Microsoft. In June, the company announced it would acquire Maryland-based ReFirm Labs, developer of an open-source firmware security-analysis tool, as well as IoT security vendor CyberX. While terms of the deals were not announced, the Redmond, Washington-based tech giant pledged two years ago to invest $5 billion into the IoT.

Data, privacy and you

While securing the hardware is a clear need for the metaverse moving forward, a likely bigger question involves something that seems intertwined into every aspect of technology today—data and privacy.

Funge said there likely will be issues with the data, privacy and authentication involved in creating the metaverse. He noted some of the same questions that have surrounded Linden Lab’s Second Life virtual offering concerning data, privacy and regulation likely are applicable to what the metaverse will face.

“All that data about you just generates more data,” he said. “What does it mean for a company to have the right to all that data?”

Protecting that data and analyzing the large amount of transactions undoubtedly will be an important feature in securing the metaverse.

Matthew Goldstein, a managing director at M12 who invests in cybersecurity and who co-founded the venture arm in 2016, said part of M12’s investment thesis when looking into cyber has been to help companies build up their data mounts—something that could be a point of emphasis in the metaverse. He pointed to M12’s investment in companies like Austin, Texas-based SpyCloud, which helps prevent account takeovers and fraud, as a good example of the thesis.

Other companies like New York-based Chainalysis, which gives analysis of blockchain data and crypto transactions to governments, banks and businesses, also could play a role in securing the marketplaces of the metaverse.

The metaverse as a place of commerce in general could cause privacy and security headaches even with the proper measures taken. Ian McShane, field chief technology officer at Minnesota-based cybersecurity firm Arctic Wolf, said most descriptions of the metaverse sound like VR worlds where one buys and interacts with things that don’t exist in reality.

“Although they don’t exist in ‘reality’ and are supposed to be part of a decentralized chain of custody, they remain linked to an individual’s real-world wealth and identity,” he said. “So naturally I have immediate concerns and questions about security and privacy.”

While the metaverse is expected to offer a new experience, the basic concept still revolves around the user being the user. Unlike social media platforms where individuals have very one-dimensional profiles, the metaverse is intended for people to have near replicas of their persona.

Goldstein said users’ ability to take their identity with them — including all the data and relationships built through other digital platforms — to a new virtual world seamlessly will be crucial to its success.

“People who nail it with portable identity with commerce built in will be the big winners,” he said. ”It’s all about portable identity and what that identity contains.”

In the end, the metaverse’s success will be measured by how many users take themselves into the experience fully.

“At the core of what Meta is trying to do is bring more of yourself with you as you travel the internet,” Goldstein added.

Adoption

The question remains of how many people and how much of themselves will be brought to the new venture. Just like any new tech platform, securing it and the investment in those cyber platforms will highly depend on adoption. Some of those in the security field remain curious if most people will make it to the so-called “next chapter of the internet.”

McShane said outside of people buying and selling virtual NFTs, he hasn’t come across the killer use-case that’s going to cause mass adoption by most people. And while it is possible celebrity VR avatars could be the target of account takeovers and used to boost some DeFi currency in the same way as Twitter accounts have been used, he has a wait-and-see mindset when it comes to the metaverse.

“I do see some pockets of smart people in our industry talking about using decentralization to address inequality, to use virtual spaces for education, but right now, before we get to security and privacy, I’m more interested in what the tipping point for widespread adoption will be,” he said.

Illustration: Dom Guzman