Cybersecurity Considerations for Web3
We’ve begun a major shift in how the internet is structured. Our current Web2, defined by a read/write architecture that, until recently was dominated by a handful of massive technology companies, is giving way to the next iteration of the internet: Web3. Unlike its predecessor, Web3 reflects a more decentralized internet where users and the community are in control instead of centralized companies. Its rise is as much a result of the natural evolution of technology as it is the growing anti-big tech sentiment and doubts around big tech’s ability to create equitable platforms that act in the best interest of their communities.
At its core, Web3 seeks to improve and resolve issues with the current centralized platform-intermediated interactions. Gartner’s Avivah Litan defined Web3 as a decentralized web in which users can control their own data and identity. Web3’s foundation is blockchain-based technology, leveraged for trust verification, and includes privacy protection, decentralized infrastructure and application platforms and decentralized identities. This is a revolutionary step that will enable users, creators and developers to hold greater stakes and the ability to vote on a platform in much the way a cooperative works. But this deeper connection will come at a price that cybersecurity professionals must take into consideration.
In Web3, security must be at the forefront of every innovation, action and interaction and not be considered an afterthought. In the hypothetical, data security could be enhanced because of the open, decentralized networks that Web3 envisioned.
There are potential security benefits to decentralized architectures, but there are also drawbacks. With increased transparency, there also is increased exposure of an attack surface and there are significant challenges to protecting the architecture, smart contracts and data. The spike in ransomware attacks, breaches of DeFi and cryptocurrency platforms and data leaks in 2021 looks likely to spill over into 2022 as we move deeper into Web3.
As Web3 use cases enter everyday life, ransomware and digital extortion will likely become more common because these attacks are so lucrative. The booming value of cryptocurrencies, victims’ willingness to pay and the difficulty authorities have in catching attackers are also contributing factors to this rise in cybercriminal activity on Web3.
Web3 Advantages
Web3’s framework centers around a decentralized network that can lead to increased robustness and a decentralized form of technology (blockchain) that discourages any particular person or group from having full control of an ecosystem. Rather, all users collectively can retain control. While there is no single governing entity in Web3, blockchains are databases that hold records while algorithmically ensuring security and transparency. In Web3, users’ data is opaque and identity is decoupled from the data itself. That means users’ data belongs to them and is not owned by any single entity; users can clearly see who has access to their data and what type of access they have.
Currently, in Web3 users can interact with protocols without giving away too much personal data and, in the future, the hope is that they should be the ones to decide when, how and for how long to share and/or permit others to access their data.
Web3 Risks
The decentralized nature of networks in Web3 also means that data exists outside of a more secure centralized service where only one point of entry exists. Security risks exist beyond data, including smart contract logic hacks and the lack of legal protection when things go wrong. Sometimes, even when legal protection is there, you might not be able to identify who is liable; even if you can file a lawsuit, the smart contract with which you are interacting may have been deployed anonymously. There are also what are known as “rug pulls,” in which developers of a cryptocurrency project abandon it and run away with investors’ funds. The largest alleged “rug pull” of 2021, for example, involved Turkish centralized exchange Thodex. After accepting investment, the project’s CEO and funds disappeared, causing users to lose over $2 billion in cryptocurrency.
From a privacy legislation perspective, decentralization also makes it difficult to identify the personally identifiable information (PII) controller and the PII processor. Additionally, due to Web3’s lack of centralized control and access to data, it’s sometimes even more difficult to police cybercrime, including online harassment, extortion, etc. Think about whether it is possible, for instance, to completely delete hate speech from the decentralized network if you can’t tell who is committing hateful acts. Moreover, distributed content hosting could pose regulatory challenges; which country’s laws apply to a particular website?
Protecting Personal Data In Web3
For cybersecurity professionals, it will become more difficult to provide a fully-protected environment in the future. One scenario is that when businesses capture behavioral data, it must be kept in a highly secure vault. Though there is no simple general answer to the data protection challenges that we face in the future, security by design should be emphasized to reduce the likelihood of cybersecurity breaches and data breaches in Web3; it’s already widely and effectively used in the internet of things (IoT). Security must be embedded in the development life cycle and considered from the very beginning stages. Some principles in traditional security by design should still be adhered to, such as: Attack surface reduction, the principle of secure defaults and the principle of defense in depth.
Cybersecurity is a continuous evolution and an arms race of attacks and defenses. Some of the legacy best practices accumulated over time still hold up and should be adopted and/or improved in a Web3-based internet. And some classic tactics, such as encryption/decryption and zero-trust frameworks, for instance, can be borrowed and adopted to great effect.
As cybersecurity professionals examine their role in defending against potential threats in the emerging Web3 internet, they would be wise to start with the basics while also evolving their approaches to accommodate a decentralized architecture where established centralized control no longer exists.
