Securing the Metaverse: The Gulf’s Real-World Challenges for a Fictional Universe

The next big thing in digital transition is here, with a shiny fancy name and the promise of exciting breakthroughs in multiple fields such as marketing, business productivity, and social interactions.

In fact, the Metaverse is expected to reshape our universe with real-world applications as diverse as the human creativity allows, and it seems that countries in the Gulf Cooperation Council (GCC) have realized the value this new experience adds. However, the Metaverse brings various security and privacy challenges to the table. What are those challenges, and how are the big players in the Metaverse planning to address them?

The Gulf’s plans for the adoption of the Metaverse

Dubai

In an unprecedented step, Dubai’s Virtual Assets Regulatory Authority (VARA) became the first regulator in the world to enter the Metaverse by establishing Metaverse headquarters. H.H. Sheikh Hamdan bin Mohammed bin Rashid Al Maktoum, Crown Prince of Dubai and Chairman of Dubai Executive Council announced that the step aims at reaffirming Dubai’s place as a leader in technological transformation and “ushering in a new era in which Dubai Government utilises modern innovations to extend its services and regulatory power to audiences in an open technological expanse, without constraints or borders.”

Additionally, a dedicated task force is being formed by the Dubai government as part of a strategy that is expected to secure $4 billion in contribution to Dubai’s economy by 2030. The strategy is anticipated to benefit from the Metaverse’s capabilities to create 42,000 virtual jobs and increase the productivity of professionals in various industries. Resident surgeons’ performance is projected to increase by 230 percent, and the productivity of engineers by 30 percent.

In a separate initiative, Emirates, Dubai’s flagship airline and the world’s first airline to launch a virtual reality app on the Oculus store, has also announced its plans to build brand experiences in the Metaverse, highlighting once again the marketing value added by this technology.

The airline also plans to launch both collectible and utility based NFTs for its customers.

The Kingdom of Saudi Arabia

Building a $500 billion eco-friendly city spreading across 26,500 squared kilometers and running completely on renewable energy sounds like something out of a science fiction movie. However, this is the very real and contemporary project that Saudi Arabia has embarked on.

NEOM is Saudi Arabia’s take on a city of the future, a smart city that will serve as a hub for tourism, technology, innovation, and advancement in many fields such as healthcare, energy, sports, design, construction, and education. In comes the Metaverse.

Saudi Arabia announced its plan to build XVRS, NEOM’s digital twin in the Metaverse. The real-world – if you can call it that – applications of XVRS are many. NEOM’s twin will allow visitors to experience a digital version of the city. They would be able to walk around its streets and admire its buildings without leaving their couch. It will also let visitors inform construction activities before they are complete, enabling the customization of apartments before they are built.

Additionally, the interests of visitors of the Metaverse could inform decisions in the real world. The purchase of a large number of apartments in a certain building in XVRS might mean that apartment sales in the same building in NEOM will likely be positive in case it was built.

And let us not forget our modern-day form of art, the Non-Fungible Tokens (NFTs). Those will be sold in a marketplace in XVRS to be later experienced in both the virtual and physical worlds.

Qatar

Qatar Airways, the national airline of the State of Qatar is one of the Gulf companies that have realized the marketing advantage the Metaverse brings to early adopters. The airlines have built QVerse, a virtual world that visitors can wander by simply visiting a web page on their website.

QVerse allows potential passengers to enjoy a virtual tour of multiple stages of a Qatar Airways flight. The tour starts at Hamad International Airport’s premium check-in area where the passenger receives a boarding pass from a MetaHuman cabin crew. Afterwards, they board the airplane where they can check the different economy and business class sections.

While exploration possibilities in QVerse are limited and the experience is still far from that of the real world, Qatar Airways’ virtual world still offers a glimpse into the possibilities that the Metaverse brings.

Security challenges

With the introduction of a new universe comes a completely new, mostly unfamiliar threat landscape posing a multitude of security challenges, some of which are unprecedented.

This is accentuated by the fact that the Metaverse will be processing huge amounts of data at unparalleled speed for subjects that are sometimes more vulnerable than others, such as children and teenagers.

Threats to physical security

When listing the most important risks that need to be addressed, we will start with the one with the highest impact, which is the potential loss of human life. In fact, some applications of the Metaverse are based on interactions between the virtual and physical universes. If users are not completely aware of their real-world surroundings when navigating the Metaverse, they might find themselves in hazardous situations. While most of the security challenges can be addressed one way or another, it will be interesting to find out whether the physical security of Metaverse users will be addressed and how.

Identity theft

Imagine your avatar walking into virtual government headquarters to conduct a certain transaction, or into your bank’s virtual branch to apply for a loan, except that in this case, your avatar is being controlled by an imposter committing fraudulent transactions on your behalf.

The irony with identity theft, whether in the Metaverse or the real world, is that this high-impact risk can easily be mitigated with adequate user awareness and appropriate identity and access controls, yet millions of users in the GCC and the world have failed time and time again to do so. Additionally, many companies I have closely worked with in the Gulf had still not realized the importance of user awareness, the necessity of spending on the right multi-factor authentication controls, and the need for zero-trust architecture when protecting the organization’s crown jewels.

Privacy breach

While some organizations see the Metaverse as a way of improving sales or productivity, other players, mainly the biggest ones such as Meta (formerly Facebook) are more interested in the private information the Metaverse users will be willingly providing. One might argue that data privacy regulations will expand to cover the Metaverse, thus providing users with some level of trust when clicking “I accept” – or in that case maybe pressing a virtual button. The issue with this argument is that it misses two major points.

The first point being that under the table, even the most reputable companies have been known to break the law, and the data from 553 million people from Facebook’s Cambridge Analytica scandal should serve as a reminder for years to come.

The second point being that the Gulf’s adoption of data privacy regulations remains slow, although countries such as the United Arab Emirates have already passed data privacy protection laws. The issue does not lie with the governments which have been quick to draft the laws, but rather with the organizations’ compliance with the laws, seeing that I have personally witnessed many companies in the GCC that were not ready for radical changes in dealing with client information, especially in one of the world’s most fast paced and technologically advanced regions.

Complex infrastructure

What brings the “Meta” to Metaverse is the massive amount of metadata that comes to play. Things like your information, preferences, interests, and physiological and biometric data are transmitted in real time across the globe and between different services and applications.

This requires a complex underlying network of interconnected services. The unprecedented level of integration lowers cohesions, increases coupling, and dramatically increases the attack surface. From a cybersecurity perspective, many concerns stand out: the increased attack surface reduces visibility and complicates threat modeling, and risk assessments. Additionally, security controls around system integrations need to be robust enough to protect the sensitive information communicated, but they also need to avoid increasing latency and lowering communication speeds during real-time interactions with the virtual universe.

Supply chain and third-party management

While supply chain and third-party security has been under the spotlight, with incidents like that of SolarWinds and Log4j making the headlines in recent years, we can still witness large organizations mismanaging, or in some cases completely disregarding third-party security.

The GCC has seen a recent shift towards telemedicine, even before COVID-19. With the emergence of the Metaverse, we can expect telemedicine to take place in a virtual clinic, where patients implicitly trust that their health information will be protected by the health service provider. It is hence the provider’s responsibility to ensure that any third parties, supply chain members, or subcontractors implement adequate data security controls when dealing with the patient’s information.

I have failed to see this happening so far, except with companies that have been the victims of an attack through one of their suppliers. Unfortunately, third-party security has been addressed in a reactive manner. It remains to be seen whether the approach to supplier security becomes proactive or not within the Metaverse.

What lays ahead

With every new endeavor come new challenges, and with every new challenge we have the opportunity in the cybersecurity community to grow and improve. However, the Metaverse and its reliance on sensitive information will put us through the toughest test yet.

Soon enough will know if organizations have learned from previous incidents, if they will take the confidentiality of their data subjects’ information more into consideration, and, with the Metaverse’s multi-billion dollar opportunities, if they are willing to spend more money in the right place.