Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

866.430.2595
Request a Consultation
banner

Web 3.0, An Interview With Security Expert Jenna Waters Part I: Is it Really More Secure?

As is often the case, life is imitating art with the emerging Web 3.0. If you’ve seen Startup on Netflix, you may recall the disruptive, decentralized web they built to connect anonymous users. Essentially, it was a decentralized network that relied on individual nodes, rather than publicly available web infrastructure, where eCommerce was fueled by anonymous purchases using blockchain-based digital currency. Now, everyone is talking about the Semantic Web, or Web 3.0, which leverages blockchain technology and scores of individual nodes to accomplish what the creators of Startup envisioned in their storyline. Writers of that show correctly predicted that such a web would impact 3 key areas – security, privacy, and social structures – in both anticipated and unanticipated ways. I caught up with Security and Privacy Consultant Jenna Waters to examine both the benefits and potential concerns of Web 3.0 from these 3 lenses. This week, we’ll look at security.

Is Web 3.0 going to be inherently more secure?

Jenna Waters: As I understand it, Web 3.0 is going to give users the power to basically create their own, online communities, as well as the ability to make decisions around how they approach technology, the spread of information, and how their own data is used or shared. More importantly, they are said to be able to make those decisions without intermediaries, like financial institutions, big tech companies, or government entities (more on those implications when we dig into social impact). Since this technology puts decisions about an individual’s data in the hands of the user, they can decide what information about them is restricted or shared, and with whom, by leveraging Web 3.0 technology. So, if a user has a great amount of knowledge around how to configure their settings on interconnected devices and technologies and manage their own data securely on a peer-to-peer transactional web, their personal data can be more secure, yes. However, security is not inherent for all people in any platform. For tech savvy professionals, securing oneself is feasible but not even we are perfect or immune to data expose or social engineering. For average users, of whom there are far more in the world than there are tech savvy users, these capabilities are likely to go untapped. Your parents and grandparents are excited if they figure out how to use a browser. Expecting them to understand and leverage advanced security features on a new technology just isn’t realistic. In a web architecture where information is even more connected to your user data, is readily available because it isn’t owned by separate entities, and all of it is rapidly accessed, less-informed users (most people) are actually unlikely to see any benefit whatsoever in their security posture. If anything, they may be more exposed. Those privileged groups armed with the right knowledge will, yes, be more secure, at least in theory.

Impact of More IoT Devices on Risk

To leverage these powerful new personal networks to their full capacity, users are predicted to engage more IoT devices in their homes and workplaces. The idea is to move away from the smart home model where you have to program everything, and towards a smart life model where your devices do the work for you, leveraging your user and behavior analytics to predictively book appointments, turn volume levels up or down, order groceries for you, etc.

How does this impact risk?

JW: By virtue of the fact that people will be rewarded for connecting more devices, they are likely to do so. And many of these additions will take the form of IoT devices in the home or as wearables in which little to no inherent security features are seamlessly incorporated as part of their development or production. So, the more connected devices, particularly IoT devices means an increased attack surface. So, that is going to negatively affect your cybersecurity posture.

To accomplish the convenience factor with Web 3.0, a form of augmented machine intelligence is applied to your data, supporting the growth of your personal network, or schema with each new action. For example, when you say the word “dentist” in the context of language that indicates intent to book an appointment, your phone may predictively pull up your calendar and suggest a date, dial the office to see what dates and times are available, turn down your stereo to ensure you can hear an agent on the other line, and preemptively send any relevant medical information if you move forward with the suggested course of action. Of course, all this data already exists in pockets held in a pseudo trust by third-parties. So, it isn’t necessarily that there will be more data available in the new model, but the fact that all of it is connected together for your convenience at a rapid pace using untested technology is where I see the potential for increased security risks to individuals.

Balancing Pros and Cons

JW: To be clear, I’m not saying we should cast aside innovation of Web 3.0 or refuse modernization due to risk, but attack surface and the human element is a factor you have to consider when objectively assessing your risk posture and whether or not you will actually be more secure when using any given technology. It’s a problem that will need to be solved, and just like settings within an app, the ability to put the right mitigating security controls in place for IoT devices is not a realistic expectation to have of by the average person.

Does the structure of user-based, individual networks limit the scope of web-based cyber attacks?

JW: The implication is that rather than hacking a database for a single dataset on a massive group of people, hackers can target an entire person – all the information available on them at once. The kind of attacker you invite in this model is not the corporate attacker who works for payment, but a truly dark human who wants to go after a particular individual for one reason or another. But, we can dig into that in another installment when we discuss social implications. In no way will this do away with corporate attack models, because cyber cartels are too smart and too greedy for that. They will simply pivot to find the new best way to make money on access and data, the way they always have.

All Technology Has Weaknesses

Additionally, like any technology, flaws and vulnerabilities come with the territory. Just recently, for example, browsers were accidentally leaking private data of Ethereum users due to a flaw. Bitcoin has been perceived by most people as impenetrably secure. Yet, we have an example, here, of the imperfect nature of all technology. Attackers live for these kinds of flaws and vulnerabilities that they can exploit. Where there’s a will to hack, there will always be a way.

In a world that is modernizing at breakneck speed, it’s tempting to find the newest technologies, go through a demo, and roll them out with the excitement of all the business they can enable. Like Web 3.0, all technology rollouts should undergo a security by design phase, where your entire architecture is considered, and solutions are implemented with best-practice security controls in place from day one. By baking security in from the beginning, and considering how your new technology may impact your organization’s compliance requirements, you can better plan and document mitigating security controls.

If you would like to have a conversation with one of our experts about your next technology rollout and planning with security in mind, you can Request a Consultation.

Ask A Question