Podcast transcript: How secure is metaverse tech?

This automatically-generated transcript is taken from the IT Pro Podcast episode ‘How secure is metaverse tech?’ We apologise for any errors.

Rory Bathgate

Hi, I’m Rory Bathgate. And you’re listening to the IT Pro Podcast, where this week we’re considering the risks and rewards of metaverse technology. In just the past few years alone, metaverse technology has seen massive growth and investment. Facebook retooled itself as Meta last year, and the company has subsequently spent over $15 billion on the tech through its Reality Labs division. Meanwhile, other big names in tech such as Microsoft and Nvidia have announced forays into metaverse tech themselves, and McKinsey says that in all, over $120bn was spent on metaverse tech in the first five months of 2022. But like with all innovations in the tech industry, metaverse tech carries the potential to bring many vulnerabilities along with its proposed benefits, with existing vulnerabilities carried across to this new frontier along with the potential for novel threats that make use of metaverse technology also becoming an issue. This week, we’re speaking to Rick McElroy, Principal Cyber Security Strategist at VMware, about the challenges posed by metaverse tech, and what can be done to address these while it’s still in its infancy. Rick, thanks so much for being on the show.

Rick McElroy

Hey, thanks for having me.

Rory

So just to start off with, what do you see as the main business use cases for Metaverse technology?

Rick

Oh, that's interesting. I personally, think about the cost savings of sending humans like myself all over the globe, to whether that's facilitation of a meeting, audit, controls some sort of incident response engagement, there is a huge cost to transporting humans all over the globe to do their job, right. There's a huge cost to educate those humans. You just got back from VMware Explorer. And I think certainly organisations have explored something like virtualized conferences during the pandemic. And then I would say, as that starts to mature, as it starts to become more real, I do expect organisations to, to achieve some cost savings by being able to bring together people remotely in these types of areas. I certainly think I'm in the education space. This is a huge area where you can have virtualized universities where there's better connection than we do from an online university perspective. And so I do think, you know, some of those verticals are exploring those areas today.

Rory

Fantastic. So you mainly see it as one of many tools to bring into the workplace, not necessarily radically changing how offices work in any way, potentially, but maybe for specific use cases, such as in education and in conferencing?

Rick

I think potentially, in the end. But if you look at what happened over the pandemic, so the realism of having to send employees home caused a lot of organisations to have to change technologies change process, do all of these things. Well, we're back on the other side. And some companies have decided to start to bring people back to offices. And so it is a long tail, especially inside of organisations to adopt technology. When you look at certain verticals, certainly the federal vertical, the state and local verticals and municipalities and governments, they're just a little slower to bring that tech in, right? And so I know, meta, and all the good folks are instantly gonna see some consumer adoption. But I think in organisations, there'll be a vetting period.

Rory

That's interesting that there might be a public private, delayed adoption. I mean, of course, that's something that we see across the tech sector. But it's interesting that you mentioned that. So assuming that metaverse technology does really take off in a big way, and certainly a lot of really large tech firms like Microsoft, Apple, of course, Meta. They all seem to think it will. What are some of the immediate cyber security concerns that it will raise?

Rick

Well, I think the first one for me is we're building a bunch of new tech on top of old technology. So if you look at the back end of what's being built, it's still sitting on top of Linux servers with containers, which we fundamentally know are insecure based on lots of threat analysis, and lots of consulting with companies. And then of course, watching what the attackers are doing, right? So my first concern is, with any new technology, not building that with the misuse cases in mind, as a rush to market generally becomes, I think, concerning from a security and risk perspective. And so, I think having some thoughtfulness as we start to deliver some of this new technology specific areas that I think about: we haven't quite nailed identity yet, and misuse of identity. So those are key areas that I think if we dragged relying on passwords into the metaverse, that's probably a path that we know. It's a recipe towards breaches and towards some of that disastrous results. But I think if we're thoughtful about things like identities, if we're thoughtful about controls that we put in place to help identify folks, so that they can't run scams or report some of the misinformation that we see from other platforms, those types of things, great. But I think we're moving a little faster than then I think the security and privacy community's comfortable with.

Rory

Yeah, I mean, you know, you're a cybersecurity expert yourself. I think there are a lot of cybersecurity experts right now who are shaking their heads going. No, we've, you know, we want to move away from the whole password headache and towards something more more secure something, you know, this is a software error. This is a technology in its infancy, maybe we can design something from the ground up, you know, is properly secured by design. On that note, there's been talk I know around continuous digital authentication, and the role that that can play in the metaverse or in metaverse tech, I should say. So, could you talk a bit about that? For those who don't know, could you lay out what it is in brief and how it could help in this role?

Rick

Yeah, absolutely. The idea of a continual, you know, authentication strategy. Most people are familiar with a one time authentication, I go to a website, I need a service, it has a login, I use a username and password, good to go, right? Continual auth moves towards using factors to continually authenticate the device, the identity of the human that's on the device. And then of course, other factors, one of which will probably be biometrics as we start to look towards that future with Meta. But I think the intrinsic risk is really, you know, this idea of to actually get to a place where you can use continual auth on an identification, it butts up against privacy. Right, so for nations that are concerning, and certainly citizens that are concerned about privacy, as we start to gather this data, it clearly butts up against the line of privacy. And I think for some of the organisations that are involved in the build out of the metaverse, or whatever we wind up adopting as that nomenclature in the future, hey've shown that they haven't been good shepherds of privacy today. And so I think them having some transparency and addressing their current issues would help alleviate some of the concerns in the future.

Rory

That's interesting. And on that point of the nomenclature, I think, certainly right now there is a tendency to talk about the metaverse, which is often I guess, just by name association, and by the amount of money that they've poured into it already associated with Reality Labs, other researchers at Meta, and with Meta itself. Do you think that we need to be having conversations right now around maybe broadening the term out and not letting it fall into the hands of a very choice few players and maybe broadening the technology out in its infancy?

Rick

Well, I mean, I certainly think it's brilliant. I will credit that. I mean, it's pretty brilliant, what they did. Um, that being said look Apple is, you know, currently developing their technology and platforms. So I have a feeling their ecosystem is going to do what Apple's ecosystem does right. And so I do see them as a major player in this market moving forward, but that's all going to look different. Look, I think Apple has taken a different stand on privacy and security than some of the other vendors, I appreciate what they've done. They've certainly helped to secure these devices, I think they've enabled a world, or are starting to enable the world where we're not just ad tracks, and all of this private data is floating around for those purposes. And so I think, having a vision towards that, as we start to deliver that it's going to benefit all of the consumers of that technology, right? And so I do think we have to broaden this out, because they think if we continually say "one organisation is going to own the future of a virtual reality world," that's probably going to be incorrect. There'll be a number of technology players, Nvidia is doing some really cool things with this digital clone of Earth and being able to, you know, look at storm patterns, and all of this really cool stuff. We know, the military is embracing AR and VR for training purposes, to drive down the cost of, you know, sending munitions down range, and again, being able to do that stuff. And so I do, but I think fundamentally, we have to ask ourselves the question, what do we want in this future? And I think everybody needs a voice at that table. Certainly security should be at the table, but there needs to be other consumer voices there as well, to advocate for things like what happens when we have cyber stalking and bullying, how are we going to do this? What are we going to do when you have completely made up personas in a in a virtualized reality? That look like me that talk like me, how am I as a consumer going to be able to vet Rory on the other end of this call in a virtualized world, to know that that's actually who it is that I'm talking to, and then take action based on that. And you can imagine, in a corporation where a CEO can tell a CFO to wire transfer hundreds of thousands of dollars outside of a company, that's going to become a problem. We were already seeing that in the current version of the digital world that we have. And we will certainly see massive amounts of scam and fraud inside of you know, the metaverse virtual reality, whatever we call that,

Rory

Right I mean, I know that there are already, you do see reports around deep fakes being used for job interviews. And some of that might be at the moment, again, still in its early stages. But certainly, I can see the potential for identity fraud and phishing to kind of take on a whole new, a whole new identity in this new realm. I guess on that note, what do you what do you think, like a metaverse threat actor will look like?

Rick

It's very interesting. So what I think about is how cybercriminals always look at technology, right? And so again, because I got to wear this adversarial hat for a long time, and still do, and we think about the misuse cases, right? So it's pretty typical developer wants to get the thing working. How do we do this at scale? How do we make sure we're not burning people's eyeballs out or engaging the brain? These are all considerations as we're strapping things to our faces, right? From our perspective, we look at misuse cases. So how can I start to deny service to that thing, so that I can make the consumer or the organisation pay me some sort of extortion? Right? How can I start to — and you've seen some of this in attempts of virtualized worlds. How can I do something like digital mods that fill up a space that's supposed to be a safe space that's created for something right, so I'm interfering, you know, on those fronts, and then, of course, I'm how can I get to the money, right? So if the answer is, well, it's easier for me to go into the metaverse and scam a nother human than it is for me to create a bunch of malware that I then have to test, send out, figure out who QAs it, get somebody to click on a link, like I know we purport that it's fairly easy to trick humans. But that being said, we've got a bunch of technology to do that. That won't exist in the metaverse, right. So you can expect a number of security companies to start to address the risks as well. And then certainly, as companies start to adopt it, I mean, I think back to something simplistic, like when, when Furbies came out, right? And then the DoD banned them from the Pentagon because they recorded conversations, or Google Glass was banned from Google campuses when it came out because it recorded right. And so how does the other person know that the conversations report being recorded? Did they consent? All of those things, those are all considerations from a legal perspective and a risk perspective, we're gonna have to build into this new world. And I think, look, the cool part of all of it is, we actually get to design it. Right? Like, we're humans, we're now working on some in the future. And so we do get to look at the past, have those design considerations? And then really move forward with like, how can we start to fundamentally get rid of some of these things from the beginning, because we know that they're going to happen, right? And so I hope the opportunity is exciting for folks that are working on those projects.

Rory

I had never heard about that Furby ban. That's, that's incredible. It does raise kind of an interesting point, though, which is that certain dichotomies that currently exist in the sector are going to, I guess, necessarily have to be carried over into metal as tech, such as public and private sector. If you're talking about educational bodies, but also government entities, perhaps even like you're saying the Department of Defence wanting to use metaverse tech versus versus private companies, are the necessary discussions around that happening right now? Or do you think there's there's too much focus on the maybe the private sector applications, the business applications of this tech right now?

Rick

I think governments across the globe are struggling with the tech that they have, and so they're hesitant to start to adopt it. Certainly, you know, folks like DARPA, and some of the research agencies have, that's what they do. But I think more broadly, as you look at governments, they're really struggling with patching. They're, they're struggling with endpoint detection and response and being able to report that they've had a breach. Right? So you see, new executive orders new legislation across the globe, to try to get them to a place where it's reasonable security to build on top of, and so I do expect for the next few years, they have some fundamental projects and some heavy lifts that they're going through. Great, we encourage it, we're helping them as much as possible along with, I think, a lot of other vendors, but then they'll start to build upon that right. And so getting something like continual authentication over the technology they have, they they they're going to have to figure that process out, they're gonna have to figure the tech out, and then they can build on it, right? And so my expectation in the future is the work they're doing now, from a security fundamentals perspective, will benefit them in the future.

Rory

That's fantastic. So you mentioned you made a reference there to some of the work that VMware has been doing in this space. And in, in general, across the across the industry. Seeing, or given that this is something that is likely to create massive waves in the tech sector, however, it turns out, what is VMware specifically currently doing in anticipation of this sort of big shift?

Rick

Well, look, I mean, I think we have to work on this idea that things are born secure. So so you'll hear us say this a lot. You'll hear us talk about this a lot. What does that mean? It means that the design considerations for security and misused or thought about upfront, and then technology enables developers to be able to deliver that in a way that covers the full lifecycle. Now look, that's a whole mouthful, all of the security professionals that are listening in the IT professionals will understand parts and pieces of that, maybe that is a big piece is your secure software design lifecycle. A big piece is going to be the ability to contextualise all of the data and telemetry to be able to do you know, behavioural analysis to find the bad guys. That being said, what we're really working on, is this idea that applications and infrastructure are born secure, maintained throughout the entire lifecycle of that workload, that application, that server in a secure fashion, and then eventually turned off securely, right? So whether that's an encryption of data and deletion, whether that's ensuring that your data is backed up to an air gapped environment, that then is restored clean, all of those things is really, I think, what VMware is working on, because we understand, we're the fundamental virtualization technology that lives underneath all of this, right? And so, when we look at it, it's a stack, we have to provide, I think, strong prevention and detection controls there that other people can rely on build the top up, and that's what we're focused on.

Rory

And in your discussions with customers, is this coming up more and more as a concern, or maybe something that they're excited about that you're having to then discuss with them about the actual reality of it?

Rick

I'm very lucky, I live on the West Coast of America, and I work with West Coast companies. So we have a tendency to move a little faster than I think a whole lot of other places. So yes, I would say Northern California is already in some cases adopting, you see a lot of companies that are being built around it right to do those things. That being said, the rest of the globe, intentionally is a little slower, right? I mean, after all, these are the pioneers that are proving the tech and all of that stuff, right. So I get to see a little preview, I get to see some of the folks that are working on it. And then I think I have a pretty strong idea, as I talk to people about it. I can tell you, I've talked to no CISOs over the last 18 months where it's at the top of their project list. Generally speaking, ransomware is still at the top of that list. Again, the security fundamentals of being able to patch as quickly as possible, and then of course, recover from some types of these attacks. And then what they're really concerned about is the fewest number of tools to do the security job. So they're retooling. They're rebuilding their processes in an automated fashion, to again, with this eye towards being able to deliver quickly these other solutions coming down the road. And so fundamentally, we're fixing a bunch of stuff and architectures, to allow for the future and rapid delivery of these solutions.

Rory

That raises an interesting question about kind of, fixing the environment we have now before moving into this new space. Do you think that, whereas people are currently kind of talking around the metaverse technology as this, this whole new realm to exist in but in its current form, it's going to have to be entrenched in a lot of the systems that we already have. Do you think that there's a potential for some of the worst problems that we're currently experiencing to currently be carried over into into Metaverse technology?

Rick

Yes. And I'll give you one brief example. We're not writing a new internet protocol for the metaverse, it's going to be IPv6 and IPv4. Generally speaking, it'll be IPv6, because it's a lot of new companies that are adopting it. Manipulation of that TCP/IP stack is still real, those threats exist all the time, adversaries take advantage. And so again, we're using insecure protocols today that a bunch of technology had to be built on top of, to allow for things like transport layer security, session layer security, cryptography, the data at rest, all of those things, right. And so here's the good news. The good news is, we've proven a bunch of this technology over the last 25 years. I would certainly hope that again, as organisations are implementing this technology and organisations are building this technology, that we take those lessons and build them in. And crypto, in my humble opinion, it's a must like, like the fact that we are even telling consumers to consider using a VPN, like, no, your application should have good strong encryption built into it. And the consumer should not have to be concerned about the transport layer security. Now it's great that they are, I encourage everybody today to be, but that's just one small example of how the underlying, you know, internet protocols if at all are, you know, easily subverted and built on top of. And then of course, you know, Linux operating systems are still going to be in play, right? You know, things like software defined radio attacks for the chips in the motherboards, the firmware that sits underneath of all of that those are all part of the supply chain of the metaverse, and will need good security controls.

Rory

Is there a risk that we're moving too quick with Metaverse tech right now, and we risk sort of building it on top of all of these systems and reaching a point maybe in five to ten years where it's too late, we can't pull those systems out from underneath metaverse tech?

Rick

It's a good question. I think I have a futurist hat that I wear, and a technology hat. And I do love the future of technology. But then I have a very realist, a little bit pessimistic brain as well, which keeps me in security. So I think the pure security professionals, and if you asked any hacker, we would say yes, we're entirely moving too fast. But I think we would have said that of almost any technology. So that being said, I think there is a speed market and a balance here. Look, you've got to create a market, you got to sell into a market so that you can prove a market, go secure the market, right? And so those pieces don't exist in vacuums. And so I do think we have to move fast in certain areas. Certainly, I think I have some caution about just moving super fast when it comes to like, video game markets and stuff. Which is, fine and probably going to be where we see the largest spread of the technology first. So no, look, security is never going to get our way because if we did, it would take another 10-15 years of development. So we have to be realistic as well and say, look, I think there are amazing use cases in the future, you know, this idea that I can perform surgeries or consult for, you know, in a third world country where maybe they don't have access to surgeons. This is amazing, you know that what we're talking about here, I think, being able to bring humans together in a way, that's not a zoom box. I know the last two and a half years zoom boxes have been killing me, right? So at some point, I do think like it's going to be fun, it'll be really cool,some of the stuff we see from an AR perspective or, you know, walking into office buildings, those types. But yes, the the adversaries are going to take advantage. And they're going to look for us to make some mistakes along this development path. And they'll take advantage of it.

Rory

So with that in mind, is this something that security teams and individual companies, on a customer by customer basis, should be worrying about yet, in anticipation of implementing this? Or is this more of a, like you were saying, a kind of secure by design concern for those architects that are leading the way in the sector.

Rick

I think if you're bleeding edge companies, certainly you're going to look to move as fast as possible, especially if you're diversifying your business portfolio as well, where you have an existing, you know, social or web company that I think could benefit from that adoption, you're gonna move a little faster. So it is probably a design consideration over the next three years for those types of organisations. Generally speaking, again, the design consideration the architecture, discussions that we're having, fundamentally revolve around things like continual authentication, zero trust, enabling, you know, again, born secure applications, where we understand vulnerabilities that exist, and then we're able to rapidly do those. Because we ran really fast to get to this point. And so there's a little bit of reworking we have to do in architectures, and most of it has to do with cloud, right? So if you think about how we used to do security versus how we're doing it now a lot of people are reworking it. Metaverse will be a consideration as part of this strategy, only because we know the metaverse will be powered by the cloud. And generally speaking, if you're accounting for some of the cloud security components, you'll be accounting for things that you need in the metaverse as well.

Rory

So with those security concerns to one side for a second. On a regulatory basis, how is the metaverse — this is a very broad question — but how is the metaverse going to be regulated?

Rick

This is a great question. I generally think regulation will follow all other regulations for tech, which means it'll be late to the table. Now, I don't say that to knock legislators or regulators. Generally, it's just the way that it goes, they have to figure it out. You know, clear considerations we're going to have to think about upfront: what do we do on education especially for, you know, children? Right? And who, you know, how is that going to work? And I have a whole lot of questions, right, I got a lot of nieces and nephews, that'll probably wind up strapping a headset on at some point. But as you can imagine, if you're a parent, you have major concerns over how that works in a non-physical way today. Now, I would also say, from a safety perspective, at least in America, there's probably some benefit to moving towards these models as well, right. So I think it'll be per-vertical. I think some of the, again, some of the some of the industries will move a little bit faster than the other ones. And then what we'll see is iterations through regulations over time, right. So we know GDPR didn't get it exactly right the first time and there's the you know, we know the California Privacy Act had to change. So we'll put something out there, it'll iterate, but it probably won't be fast enough to satisfy anybody's needs. Because generally speaking again, when it comes to things like cybercrime and theft, we have to observe the behaviour, laws across the globe have to be created, they have to be voted on democracies, take a little take a little while to get that done right. And then we see some benefit from it. So I do think, particular to regulations in the industry that are helpful, something like PCI DSS, I think, is has been more meaningful for credit card encryptions and to disrupt credit card theft. So adoptions of models like that, instead of adopting, you know, models that add a bunch of overhead for no particular reason than to add the overhead right. I think there's an effective way to do that.

Rory

It's interesting, you mentioned GDPR. But considering these issues across different continents across different countries, do you think also that this focus currently on the metaverse as if it's going to be one unified entity as opposed to a series of different metaverses used by different organisations, different entities will run into issues like data sovereignty as well, that maybe could stymie this unified vision that people are currently talking about?

Rick

I think the metaverse will follow the real world Internet, and we thought that the internet was gonna wind up 'The Internet'. It's not actually true. There's a lot of different internets, and a lot of different rules, especially depending on how you're governed, right? So no, I don't expect that say the CCP's version of the metaverse is going to be the exact same as the UK's, or the exact same as the US's. Certainly I think, the local citizen, and the consumers are going to have a big say, because they're voting with dollars, right? But I think each government has had to, again, based on risk, based on breaches, based on privacy, has had to sort of draw that line. And so what we've ended up with is a lot of different internets, and a lot of different piles of data around. I think the metaverse is is certainly going to find that, and I can't imagine that authoritarian governments across the globe are going to want to facilitate open access to information and not having a big say in how that's developed.

Rory

On that point of having a say, do you think that some sort of framework that companies could agree to that that governments could agree to around metaverse tech is necessary? Or or will it just naturally fall into, like you're saying, a geographic perspective?

Rick

No, I think generally technology happens to follow that right? So whether it's IEEE standards, ISO standards that you know, NIST standards, will certainly account for it as well. And so I would assume NIST is probably already looking at some guidance around metaverse. I'm probably not in the room for like the draft discussion, but at some point, it'll come out for a draft form. We as security professionals, with the way on it will iterate through the changes make some recommendations. But yeah, I would expect there'll be specific, you know, standards for metaverse for things like communications, interoperability, all of those things. And if, if you're going to win in that space, you're going to have to be open. Like, I think it's gonna be really hard to go down the path of a closed technology unless you're someone like Apple who already has a massive consumer base

Rory

To kind of round off the discussion: to turn one of the earliest questions I asked on its head, we've talked about a lot of the security drawbacks of metaverse tech. But given that we have an opportunity to, as you say, kind of author our own future with this technology, what are some of the real benefits or potential benefits that to security specifically, that that could be be achieved through metaverse technology?

Rick

Well, I'll tell you one that I think about all the time. And you hear this from security professionals: I have a team of people that help me, that team might be called the manage detection and response team, it could be called managed security provider, you know, we have all kinds of names for our third parties. But one of the hardest things to achieve is the context of what's happening in the environment, right, the familiarity of each one of these humans, or these groups of humans working together to drive a singular outcome. So, when it comes to upfront consulting, when it comes to architecture design, when it comes to incident response, when it comes to facilitating incident response across the globe, being able to do briefings, man, again, I think have disparate teams sit in a room like we're with each other on a virtualized whiteboard. It's one of the hardest things that I have a problem with today, with the technology that we have in place for remote work. And yes, I know there's tonnes of companies. Yes, we've used all the tech, it is not the same as sitting down real time with six people, when someone has their hands on a whiteboard, eraser. And we're just iterating through stuff, it's just not right. So I think I'm hopeful from that perspective. And then I certainly think from, you know, from my own home life, look, again, I have to get on planes all the time, my friends all have to get on planes, we are trading off that work life balance. And I think, for us, and our experience of burnout and fatigue, and the hours, I do think particular to cybersecurity, there will be an impact to that. And then I hope, if we actually do our jobs right, with continual identity authentication, maybe we can get to a place where we start to eliminate some of this fraud, and the scams, that one human purports to another human, because all they're doing is lying and tricking the other human. So maybe we can think about those use cases in the metaverse and drive some of them down, right? And I don't know how we do that yet. Some people would say we're gonna adopt MRI technology, other people you know, it gets a little dystopian, too, right. That being said, we do have a chance to design it, we do have a chance to consider it. And so what I'm looking for, for these organisations that are building this technology, and the developers, and the architects is like proof, prove that is trustworthy. Give me the transparency that we need to adopt it. Because I think we want to, we love the future, we love it. But it's just a little risky, and so you got to give us what we need to lead the organisations to this change.

Rory

Well it certainly sounds like if we play our cards, right, there's, there's lots to look forward to.

Rick

Absolutely, I think it's, it's just, it's really cool, right? I mean, we're at a point where we can, we can play with our own reality in a way that's safe, we can move significant chunks of pieces, like, you know, this idea that Nvidia did with this digital Earth. And being able to use actual weather models, and what happens if we, you know, move that, like putting all those pieces together that has a huge value to humanity. And that's the exciting future that I want to make sure, you know, we safeguard and shepherd this technology through.

Rory

Fantastic. Well, Rick, thank you so much for being on the show.

Rick

Thanks for having me.

Rory

As always, You can find links to all of the topics we've spoken about today in the show notes and even more on our website at itpro.co.uk. You can also follow us on social media, as well as subscribe to our daily newsletter. Don't forget to subscribe to the IT Pro Podcast wherever you find podcasts. And if you're enjoying the show, leave us a rating and a review. We'll be back next week with more insight from the world of IT but until then, goodbye.