Cyber Insights 2023 | The Coming of Web3

About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

SecurityWeek Cyber Insights 2023 | The Coming of Web3 – Web3 is a term that has been hijacked for marketing purposes. Since web3 obviously represents the future internet, claiming to be web3 now is a claim to be the future today. Such claims should be viewed with caution – we don’t yet know what web3 will be.

Two of the biggest culprits are the cryptocurrency and NFT investment industries, which both use blockchains. They have claimed to be web3 so vociferously that some pundits believe that web3 is blockchain. This is way too simplistic – these are just applications running on one technology that may become one of the web3 building blocks. 

Before we discuss the evolution of, and issues with, web3 in 2023 and beyond, we’ll first define one specific view of its basics. 

A tentative definition of web3

Web3 will be the next fundamental characterization of the internet. Currently, its characteristics are clouded by confusion because it doesn’t exist. We won’t know what it is, until it is. Nevertheless, we can make some basic predictions because it will evolve from the current web2 and is bound by the rules of evolution. So, we must start with where we are to predict where we are going.

Web1 can be described as the static web. It was designed to deliver static information from information creators to information consumers. We still use web1.

Web2 can be described as the interactive web. It was designed to allow creators and consumers to interact. Three major examples are online banking, ecommerce, and social media. This is what we have now: a combination of web1 and web2.

Web3 can be described as whatever comes next. It will be an attempt to improve on web1 and web2. Most likely it will be an attempt to correct perceived faults or weaknesses in web2 and improve the users’ internet experience. We’ll focus on these characteristics in our projections for web3 focusing on decentralization and the metaverse — but remember that at this stage, it is still just conjecture.

Decentralization
A perceived fault in web2 is that it allows data to be centralized and focused in the hands of a few mega corporations. Big tech, including companies like Facebook, Microsoft, Google, and Apple own most of the world’s available data. More specifically, they own everybody’s personal information.

This is a problem both politically and socially, and is the primary driver for legislation designed to prevent big tech (and medium tech) from misusing and abusing personal data. GDPR, CCPA (and other privacy legislation), and the FTC’s increasing ‘overview’ of the misuse (which it defines as malpractice), can be seen as political attempts at correcting this fault in web2. We can add that the centralization of data is also a primary cause of cybercriminality, providing Aladdin’s Caves of rich pickings for criminals.

A better solution would be for the internet itself to reduce the stranglehold of big tech by becoming decentralized — companies do not need to own data to be able to confirm identity. Isolated attempts at decentralization already exist. Cryptocurrency (technically, at least) is an attempt to decentralize finance. The interplanetary file system (IPFS) is an attempt to decentralize data held in individual files.

One likely component of web3 will be a decentralized internet — and the distributed ledger implemented as blockchains is the most likely route. Big tech will not support this evolution.

Immersive
A move towards a more immersive internet experience is already in progress. The improvement on web2 is that users wish to move beyond interacting with the internet to becoming part of the experience. This development can be seen in the evolution of the gaming industry — from text-based adventure games, to video platform games, to 3D games and now virtual reality gaming.

But it is also apparent in business. Covid-19 created a need for remote conferencing. This was already available via telephone conferences; but the rapid rise of videoconference tools such as Zoom demonstrates users’ wish to feel more involved – or integrated with the experience. The next logical step is for videoconferencing to evolve into virtual reality conferencing using the same tools and techniques developed for virtual reality gaming.

Web2 is already evolving towards an immersive internet, and ‘immersive’ is likely to be another component of web3. The current ultimate view of an immersive experience is the metaverse.

Web3
The evolutionary pressures on the internet seem to be focusing on two characteristics: decentralization and immersiveness. This is how we will describe the next internet. Note that neither characteristic is dependent on the other, but there is synergy in their marriage. Metaverses do not need to be decentralized but can become so using distributed ledger technology (DLT). Metaverse and DLT are likely to be the key components of web3. The evolution will not be completed in 2023 (in fact, it has barely begun), but there will be much progress in that direction.

But note also that there are competing pressures. Big tech recognizes the value of the metaverse concept (Facebook has even changed its name to Meta), but big tech will not want decentralized metaverses where they lose ownership of users’ data.

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

The technology waiting game

The excitement with which 2022 greeted the dream of the metaverse dissipated into disillusionment over the course of the year. The technology simply isn’t ready to deliver on the dream; but that dream remains. 

Massimo Paloni, chief operations and innovations officer at Italian luxury brand Bvlgari, explained both the problems and the promise of the web3 metaverse. When you buy a product, he said, especially a luxury product, you go to the store not just for the product, but also for the experience. The experience is ‘storytelling’ by the vendor — and all storytelling changes with advances in technology. But the way that technology is used must always be aligned with the vendor DNA.

“Our mission is to be sure that the use of new technology – web3, blockchain and metaverse – is aligned with our value proposition. That is the key,” he said. Web2 ecommerce fails for the luxury brands. “Ecommerce is a bidimensional experience. It kills the magic of going to the store. All ecommerce is beautifully crafted — but ultimately all the stores are similar.”

The promise of the metaverse is that it will allow vendors, especially luxury vendors, to maintain their own storytelling in engaging with their customers. Better engagement, which isn’t supported by web2, will lead to higher sales. But the problem is the technology is new and evolving, and developers still don’t know what might be available in three- or four-months’ time – nevermind a few years.

“Content is absolutely king here – the technology will undoubtedly become better and better, but this is not enough in itself,” says Lars Seier Christensen, chairman of Concordium and founder of Saxo Bank. “Users need to achieve real benefits to embrace it – across areas like entertainment, better access to goods and services, valid commercial models and otherwise unachievable experiences.” What we’ve seen so far over the last year or two has failed to deliver this, and quickly became boring and irrelevant.

“2022 wasn’t a good year for the metaverse,” adds Orlando Crowcroft, tech and innovation editor at LinkedIn. “Two of the most prominent metaverse platforms – Decentraland and Sandbox, with valuations of over $1bn each – were revealed to have under 1,000 daily active users. And Meta’s Horizon World was so unpopular that even staff had to be pressured to use it.”

But he added, “Metaverse enthusiasts should take heart. In 2023, we will see the metaverse take off – in the professional world. VR and AR are being used right now to train pilots and surgeons. Expect employers, universities, and training programs to jump into the metaverse in even bigger ways in the new year.”

Just as the metaverse is a new concept, crime in the metaverse is an unknown quantity. “Virtual cities and online worlds are new attack surfaces to fuel cybercrime,” warns Aamir Lakhani, cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs. He is concerned that a metaverse will be an open door to new cybercrime in uncharted territories.

“For example, an individual’s avatar is essentially a gateway to PII, making them prime targets for attackers. Because individuals can purchase goods and services in virtual cities, digital wallets, crypto exchanges, NFTs, and any currencies used to transact, offer threat actors yet another emerging attack surface,” he said.

He also worries about biometric hacking. The AR- and VR-driven components of virtual worlds may make it easier for a cybercriminal to steal fingerprint mapping, facial recognition data, or retina scans. Finally, he added, “The applications, protocols, and transactions within these environments are all also possible targets for adversaries.”

Kaarel Kotkas, founder and CEO at Veriff, sees trust in identity as the biggest problem. “If the metaverse is to be successful,” he said, “there needs to be a guarantee that users are who they say they are.”

“If the Metaverse is to live up to even a portion of its hype,” adds Padraic O’Reilly, co-founder and CPO at CyberSaint, “security will have to be baked in from the start. That is, it should be part of the conception. There should be a kind of cyber charter from the largest participants that stresses transparency, and laws for individuals. Cyber is everyone’s responsibility in the future.”

He also believes that regulation will be required over user identity. “To ensure the security of experiences and transactions in the metaverse, zero trust architecture and more legal protections (blockchain is too authority averse) are required. Without a central authority backing the purported ironclad data integrity of the blockchain, it will remain vulnerable.”

It is worth noting, however, that a ‘central authority’ is at least conceptually contrary to the ideal of decentralization.

Patrick Harr, CEO at SlashNext, continues this theme of identity. “Artificial intelligence solutions will be needed to validate the legitimacy of identities and controls,” he says. “This new type of digital interface will present unforeseen security risks when avatars impersonate other people and trick users into giving away personal data.”

But of course, AI will be used for attack as well as defense. Deepfaked avatars supported by AI chatbots will be used. “We can expect to see more of these holographic-type phishing attacks and fraud scams as the metaverse develops,” he continued. “In turn, folks will have to fight AI with stronger AI because we can no longer rely solely on the naked eye or human intuition to solve these complex security problems.”

Ultimately, security in the metaverse and web3 in general is both a threat and an opportunity. Traditionally, security is largely reactive – we fix things after they have been exploited. But “With web3 we have the opportunity to change the game in terms of security,” suggests Rodrigo Jorge, CISO at Vtex, “and construct something that has security by design, and is planned from user experience to the system architecture and infrastructure.” 

He believes security professionals and companies have the opportunity to adopt security in this early stage so that when web3 becomes popular, it will be safe. 

The progress of decentralization via blockchain

“Web3 reflects an architectural shift decentralizing management of platforms. As platforms decentralize, the organizations that manage them will have to find ways to federate replacement controls for those they had centrally deployed,” says Archie Agarwal, founder and CEO at ThreatModeler. “When organizations design such tectonic shifts in their architecture (like the aggressive decentralization of web3), it’s incumbent on them to model the threats and adjust their security controls that such a shift will expose.”

Value from cryptocurrency technology

While cryptocurrency (as opposed to cryptocurrency technology) is peripheral to a discussion on web3, it cannot be dismissed entirely. Bitcoin demonstrated the security available in the blockchain implementation of the distributed ledger. But it is blockchain rather than cryptocurrency that is important to the development of web3.

Merav Ozair, a fintech professor at Rutgers Business School, commented on Nasdaq (December 20, 2022), “There is no doubt that the benefits of blockchain technology and web3 are immense. Jamie Dimon, CEO of JPMorgan, who has bashed bitcoin, has always been one of the great supporters of blockchain technology. JPMorgan is one of the leading companies in web3 and has made significant investments in blockchain technology, web3 and the metaverse since 2015.”

She also notes that the value of decentralization (in this case, cryptocurrency) has been demonstrated during the Ukraine/Russia conflict. The Ukrainian government has asked for donations in cryptocurrency, which has been adopted as a primary currency in the country. 

“These instances underscore the promise of blockchain when Bitcoin, the first blockchain, was launched in January 2009, that a decentralized, peer-to-peer system, accessed by everyone, with no need for intermediaries, can empower everyday people: a system that is for the people, by the people,” she explained. This is the primary advantage of decentralization.

A security weakness in the unfolding web3 will come from its ‘newness’. “Looking forward, attackers are again adjusting their tactics to target individuals in the new web3 world,” comments Hank Schless, director of global campaigns at Lookout. “Since web3 is still a new concept for most people, attackers can rely on the unfamiliar environment to increase the likelihood of success. This is a common tactic, as targeted individuals may not know exactly what red flags to look for in the same way they do with a suspicious social media message.”

Christian Seifert, research at Forta, takes this further. “The current state of the De-Fi market [currently the primary implementation of decentralized blockchain], especially with mounting losses due to hacks and rug pulls, has reduced some of the trust that investors previously had in this industry,” he said.

Security issues 

“I believe the problem will continue to persist unless better security measures are implemented across the board. In this regard, we need an overhaul of the security strategies prevalent today to provide better end user privacy (via the use of, say, wallets) and improved protocol safety.”

In particular, he recommends “routine audits, offering bug bounties, maximizing monitoring and incident response – potentially via the use of future-ready technologies such as artificial intelligence and machine learning – and offering clients cyber insurance.”

Financial institutions 

Since the blockchain was originally developed for use in the finance sector, it should be no surprise that the finance industry is one of the more interested sectors. “There is a major trend of blockchain adoption in large financial institutions,” says Nick Landers, director of research at NetSPI, specifically citing Broadridge, Citi and BNY Mellon. 

“The primary focus,” he continued, “is custodial offerings of digital assets, and private chains to maintain and execute trading contracts. Despite what popular culture would indicate, the business use cases for blockchain technology will likely deviate starkly from popularized tokens and NFTs.” Instead, he believes, industries will prioritize private chains to accelerate business logic, digital asset ownership on behalf of customers, and institutional investment in proof-of-stake chains.

By the end of next year, he expects that every major financial institution will have announced adoption of blockchain technology, if it hasn’t already. “While Ethereum, EVM, and Solidity-based smart contracts have received a huge portion of the security research, nuanced technologies like Hyperledger Fabric have received much less. In addition, the supported features in these business-focused private chain technologies differ significantly from their public counterparts.” 

It is worth noting that private blockchains are not decentralized blockchains – which begs the question, are they really web3?

Either way, this ultimately means more attack surface, more potential configuration mistakes, and more required training for development teams. “If you thought that blockchain is ‘secure by default’,” added Landers, “think again. Just like cloud platform adoption, we’ll see the promises of ‘secure by default’ fall away as unique attack paths and vulnerabilities are discovered in the nuances of this technology.”

Dissatisfaction with big tech’s control of social media has led to the exploration of alternative decentralized approaches. Mastodon, as an alternative to Twitter, is one example. It is decentralized but based on federation rather than blockchain. “Instant global communication is too important to belong to one company,” explains the Mastodon website. “Each Mastodon server is a completely independent entity, able to interoperate with others to form one global social network.”

But a blockchain – more specifically a multichain – social media alternative may appear in 2023. On December 20, 2022, Beepo officially closed the beta version of its decentralized app, and expects to launch in early 2023.

At the beginning of December 2022, Concordium announced an agreement with Beepo to incorporate its native token, CCD, as a means of payment on the platform. “Beepo, a blockchain-based platform powered by E2EE and an AI/ML algorithm with a focus on privacy and security,” explained Concordium, “is protected by end-to-end encryption technology and autonomous moderation, ensuring a totally secure environment for user interactions.”

The Beepo App offers a DApp (decentralized app) browser, tools for independent contractors, features for content creators, and a multichain blockchain infrastructure that lets users engage with various tokens and multiple networks. It is a response to growing user concern over the controlling and often abusive concentration of personal data within web2 big tech firms.

Web3 progress in 2023 

The blockchain part of web3 (disregarding the question of whether private blockchains can even be considered part of web3) will probably develop faster than the metaverse during 2023. William Tyson, associate analyst in the thematic intelligence team at GlobalData, foresees a metaverse winter in 2023. He believes the immaturity of enabling technologies like virtual reality (VR) and artificial intelligence (AI), as well as cooling consumer interest, will prevent the metaverse from being adopted widely in the next year.

He adds, “The absence of a single vision for the metaverse means that its future is malleable and uncertain. Its extraordinary long-term potential is widely recognized, which is why big tech is continuing to funnel billions into its creation— despite the absence of short-term return on investment. The concept will experience a cold period, but this provides an opportunity for underlying technologies to develop.”

Meanwhile, the blockchain part of the equation will pick up steam in 2023. “We don’t have a defining trend for web3 in 2023, but that what we do have instead is an undercurrent of heads-down building and experimentation being done both by developers as well as traditional brands, setting the stage for a really exciting 2024,” says Dan Abelon, partner at Two Sigma Ventures. 

“On the developer side, one area to watch is messaging: enabling decentralized services to communicate directly with end users,” he adds. “On the brand side, I’m excited to see more experiments like those by Reddit and Instagram in recent weeks, that will help bring web3 into the mainstream.”

The metaverse and blockchains are not interdependent – each can exist without the other. However, a decentralized metaverse will require blockchains. Consider a metaverse shopping mall. Like the physical mall, it will comprise multiple businesses operating effectively in one place. In the physical world, shoppers walk from one shop into another. In a web2 shopping mall, they would need a different URL and to log on and present identity credentials to each store.

In a decentralized metaverse, with identity held in a trusted blockchain, identity verification could simply be the presentation of an NFT-like token. This would confirm the user’s identity without requiring personal details to be given to every business in the metaverse – allowing the user to travel freely between the organizations of the mall metaverse.

Within each ‘shop’, three-dimensional images of goods can be investigated. Shopping baskets could be maintained by the collection of NFTs associated with the goods, and could be instantly purchased via a cryptocurrency or NFT from the user’s wallet.

The security issues are primarily fraud via user impersonation, although the user identity is protected by blockchain. One thing that is certain, however, is that as this new cyber world evolves, criminals will be looking for new ways to attack it.

Web3 will happen. What it will look like is not yet known. Blockchain technology is expanding beyond just cryptocurrency, and the use of non-investment NFTs is growing. 

The attraction of a metaverse is undeniable – but we’re going through a phase of disillusionment right now. This is perhaps typified in the disappointment of Meta’s legless cartoon avatar torsos in its Horizon Worlds metaverse.

But we should remember that all of this is new technology with kinks. The AR and VR headsets are still developing; the software development is still new. The potential for the metaverse is too great to ignore. Its synergy with decentralization makes it especially attractive.

It won’t materialize for many years – but development of web3 will continue through 2023 and beyond. The immersive metaverse rather than blockchain will be the defining technology.

Related: Securing the Metaverse and Web3

Related: Hackers Steal Over $600M in Major Crypto Heist

Related: Protecting Cryptocurrencies and NFTs – What’s Old is New

Related: How Blockchain Will Solve Some of IoT’s Biggest Security Problems