The move to the Metaverse, an open-ended collection of digital experiences, environments and assets leveraging virtual technologies, is imminent. Backed by tech giants including Meta, Microsoft and Google, this environment has the potential to change many aspects of everyday life, from education to healthcare. In February 2022, Gartner predicted that 25% of people will spend at least one hour per day in the Metaverse by 2026.
However, considering the surge in cyber-attacks and data protection issues following accelerated digitalization during COVID-19, experts have expressed concerns that the Metaverse will quickly become a security and privacy minefield. Cybercrime and fraud are areas of concern as well as the technology offering new ways of undertaking general criminality.
Nick Biasini, head of outreach, Cisco Talos, explained: “In the interim we are likely to see criminals take their endeavors from outside the Metaverse, into the Metaverse. These are likely to include fraud elements as there is significant financial assets in the Metaverse and little recourse for victims of cryptocurrency theft.”
It is a new challenge that law enforcement agencies, already adapting to the growth of online crime, must prepare for. Pieter Danhieux, co-founder and CEO, Secure Code Warrior, commented: “One of the biggest issues with the Metaverse is that despite it not being as brand new as many think, few understand it from a security perspective. The concept of ‘Web 3.0’ is something of a new frontier, and I fear that we just don't have the resources or the general security standards to keep up with the rapid generation of threats that we will likely experience in new ways.”
Encouragingly, this issue is being recognized. In October 2022, Europol issued a report entitled Policing in the metaverse: what law enforcement needs to know, which urges police forces to start thinking now about the challenges and opportunities created by the Metaverse. It warned that the Metaverse will lead to an elevated threat in numerous areas, including:
- Ransomware targeting devices such as VR headsets
- Identity theft/fraud made possible by stealing users’ biometric details and creating more realistic deepfakes
- Money laundering via a range of decentralized, specialized cryptocurrencies as well as non-fungible tokens (NFTs)
- Harassment and child abuse and exploitation, including grooming, the sharing of sexual abuse content and potentially the use of haptics and tactile technology to physically interact with victims
- Terrorist propaganda, recruitment and training
- Targeted mis and disinformation
Policing Challenges
Police forces must enhance their capabilities to detect crime in the Metaverse and ultimately bring perpetrators to justice for their actions in this new environment, but doing so will be a challenge.
Jake Moore, global cyber security advisor at ESET and former computer crime investigator for Dorset Police, acknowledges this challenge, especially given the lack of resources and focus on dealing with cybercrime. “Both cyber-enabled crime and cyber dependant crime have seemingly crept up on police forces around the country and left many still without the vital resources necessary to properly police this hugely growing area of crime,” he outlined.
However, he believes these experiences should be learned from, with governments and police chiefs taking steps to prepare their forces for the incoming wave. “Advanced technologies is not something often associated with local police forces but when the Metaverse becomes the new ‘on the beat’ local offences, it will need to adapt pretty quickly. Police forces have often learnt the hard way in digital offending and been late to the party but this should be seen as an opportunity to get ahead of the curve while they can,” added Moore.
"Police forces have often learnt the hard way in digital offending and been late to the party"
Emerging technologies being exploited by threat actors is a constant problem for the police, and Ramsés Gallego, international chief technology officer at CyberRes and member of the ISACA Emerging Technology Advisory Group, emphasized the importance of forces being equipped with AI and machine learning technologies “to see patterns of behavior and predict the next move of the attacker.” This is even more essential with the Metaverse “since it is a new platform and a new ecosystem that deserves the attention of the ‘regular’ world, with all the troubles of fake information, identity theft, etc.”
According to Cisco Talos’ Biasini, the anonymity afforded to Metaverse users, who can choose a new persona, will be a major challenge for law enforcement. “This same anonymity makes it difficult to connect a persona in the Metaverse to an actual person. Once you layer on top any potential jurisdictional issues with people from other countries it is ripe for abuse,” he noted.
Immersive Experience
Moore believes police cybercrime units should already be immersing themselves in the Metaverse, anticipating how and where offenses will occur. “Police officers are excellent at thinking like criminals and would be best suited learning this new technology in the early phases to see what is possible and how to prove inevitable forthcoming digital crimes,” he said.
A key component of criminal investigations, especially in cyber, is intelligence gathering and collaboration. In the Metaverse, this will require close cooperation with the tech firms involved in developing these experiences. “The Metaverse potentially offers a wealth of data and could be pivotal in many low-level crimes or even large-scale offences,” stated Moore.
However, he pointed out that police forces have often experienced difficulties in obtaining crucial data from the servers of such companies. Therefore, “police officers will need to find a way of capturing evidence from within offender’s and victim’s accounts without changing any of the data.”
CyberRes’ Gallego also emphasized the importance of building partnerships with Telco companies, which possess the infrastructure through which attacks are perpetrated. This requires more legislative agreements across borders to tackle such crimes committed through different countries, routers and infrastructures. “We need an international agreement and the skillset for police officials to withstand attacks and investigate without limits, but with an imperative ethical approach with the only goal of protecting and defending,” he noted.
As the maxim goes, ‘prevention is better than cure,’ and law enforcement should be reinforcing this message to organizations involved the development of the Metaverse to make it harder for cyber-criminals. “At the end of the day, developers will be the most active in creating this new experience for us, and they must be included in the security process as often and early as possible. They need precision training on the vulnerabilities that they are likely to face, and the opportunity to get hands-on with threats in the languages they are actually using every day,” commented Secure Code Warrior’s Danhieux.
Cybersecurity in the Metaverse will be a gradual evolution but can be assisted by the knowledge garnered from years of fighting cyber-threats on other digital systems.
“Organizations must never forget that likely millions of people will eventually be trusting them with what will amount to their digital life, and the responsibility we have to keep them safe cannot be overstated,” added Danhieux.
Organizations in this space need to start developing approaches to defend against threats now, such as the controls to remove bad actors and user education. Governments and law enforcement agencies must ensure this message is conveyed loudly and clearly.