By Clementine Gazay
2022 will surely go down in the books as the year Web3 became ubiquitous, or at least, seemed to appear in every headline on your LinkedIn feed. The term has been used loosely to describe the totality of next-generation, ongoing efforts to decentralize ownership, financial instruments, systems, and information throughout the web. Naturally, these developments have massive implications for individual and corporate cybersecurity.
In common perception, the Web1 era enabled us to access information across the internet. The Web2 revolution gave society the tools to read and “write” information through content production and management. Web3 is one iteration further: authenticated ownership, community, and activity is now possible. Numbers support bullish feelings on growth: Market research estimates the global Web3 market to reach USD$81.5 by 2030, registering a CAGR of 43.7% during this forecast period.
One barrier to this growth will undoubtedly be cybersecurity threats to Web3 applications. Yet, as they continue to develop, Web3 technologies are being hailed as a new era of innovation for cybersecurity. In tomorrow’s Web3 world, individuals have control over their data. Hackers can’t alter information stored in decentralized systems by design. Smart contracts don’t allow for doubt surrounding the ownership of virtual (and physical) assets. Your uncrackable “seed phrase” safeguards your cryptowallet, keeping your money safe.
It hasn’t taken long for the internet to prove this is a naïve point of view. A NASDAQ source report notes that, “$2B was lost due to protocol attacks and despite the bear market, losses due to hacks from this year have already exceeded that number as of September 2022.”
Market research estimates the global Web3 market to reach USD$81.5 by 2030, registering a CAGR of 43.7% during this forecast period.
In late 2021, a gallery owner virally tweeted he had been the victim of virtual art theft. His high-profile Bored Ape collection—estimated at $2.2 million at the time—had gone missing from his digital wallet. Eventually, he retrieved them with the help of fellow tweeters and the OpenSea platform. But the internet is forever, and his cry for help is now alive in perpetuity— as an NFT.
Aside from providing an amusing anecdote, this tale (one of many) proves that there are cybersecurity flaws inherent to the Web3 economy. The question is— what are they? And where do the business opportunities lie?
Increasing Web3 assets of high worth means more sophisticated attacks directed at valuable targets.
Web3 assets are no longer confined to Decentralized Financial (DeFi) components. Valuables on the web include your cryptowallet but have expanded to encompass NFTs and access to NFT communities. These high-value assets will undoubtedly be prioritized as attack targets, as hackers go where reward meets effort. Assets with high value will be targeted with precision, resulting in sophisticated and highly specialized and customized attack campaigns. Individuals investing in Web3 assets should be prepared to fend off these personalized attacks. Discord accounts and activity are a source of information and inspiration for these growing attackers, as they are the central point of information about NFT ownership. If you’re investing in high value NFTs with an active Discord profile, you’re opening a museum of fine art in a (theoretically uncrackable) glass case on display in a public place. People are still going to try to crack that glass. As an individual, expect increasing, advanced phishing attacks on all your connected devices.
These high-value assets will undoubtedly be prioritized as attack targets, as hackers go where reward meets effort. Assets with high value will be targeted with precision, resulting in sophisticated and highly specialized and customized attack campaigns.
Applications and APIs using blockchain technologies will be seen as the weakest links.
Decentralized blockchain resistant to hackers and to integrity attacks by nature may not be the direct target, but associated applications with more traditional cybersecurity weaknesses will be. According to a Forrester report on Web3 security, “Attackers deploy a range of common and custom exploits to find and take advantage of code weaknesses and software vulnerabilities in web applications and APIs. [They] also look for flaws in container or cloud workload configurations and deploy bots to mount attacks like credential stuffing and DDoS attacks.” The entire ecosystem around Web3 applications will be looked at when planning an attack. Efforts directed solely at securing front-facing applications may end up being bypassed through related application attacks.
Advanced Persistent Threats (APTs) won’t go away – and their consequences may be more dire.
APTs are highly sophisticated cybersecurity breach efforts carried out by skilled actors over long periods of time—often nation-states or large criminal organizations with the resources to spare. They are among the most feared attacks by cybersecurity professionals as APTs have high disaster potential; their orchestrators won’t stop until they’ve succeeded. In 2022, the well-known Lazarus attack responsible for the theft of $620M in Ethereum was attributed to North Korea by the FBI. So long as Web3 assets with enough political, social, and economic meaning exist, APTs will proliferate. Something to consider for El Salvador, who made Bitcoin official legal tender in 2021.
So long as Web3 assets with enough political, social, and economic meaning exist, APTs will proliferate.
Taking these lessons and putting them in terms of business lessons, attractive markets include:
- Personal security and anti-phishing solutions for individuals with valuable Web3 assets;
- Enterprise tools scanning and evaluating Web3 security risks from third-party applications or compliance certifications with Web3 security standards;
- Highly personalized threat detection and threat intelligence services directed at sniffing out APTs.
All in all, the Web3 era is synonymous with greater cybersecurity needs. They may manifest in ways we haven’t seen before. This could mean less of a focus on the protection of integrity as transactions are now open for the world to verify on distributed ledgers. It could also mean more time-consuming, personalized phishing attacks on individuals with high-value targets. And, in a continuation of what we’re already seeing, growing sophisticated ATPs targeting politically valuable Web3 assets.
Clementine Gazay ‘24 is a French-American MBA student and Venture Capital Fellow at Columbia Business School. Prior to business school, she was a cybersecurity consultant for Deloitte in Montréal and Paris, completing engagements for major clients in the financial, industrial, and telecom sectors.