Recommendations

Given the ubiquitous nature of XR technology, its increasing use in society, and geopolitical realities, the U.S. government and private-sector policymakers must take action. Policymakers should apply current cybersecurity best practices within XR technologies; learn from other countries by fostering innovation at home and examining the need for regulatory action; and engage with international partners on global norms and standards.

1. Get on the same page. The U.S. government desperately needs to coordinate how private-sector partners and academia will work together to securely incorporate XR technologies into our society. The U.K. and EU have established these exact forums and have already developed strategic documents and are iterating upon them, enabling them to fully embrace these technologies. The United States is woefully behind. The U.S. government should work closely with private-sector partners to determine what existing cybersecurity best practices—from security controls to frameworks to existing government policies—could apply to these technologies. Doing so will then help prioritize U.S. government and private-sector efforts to create new processes and security standards in those areas where existing best practices are not applicable. There will be a need for a strategic plan detailing a whole-of-society approach to XR in the near future, including government use of XR, securing XR technology, and cooperation and competition for the XR markets. A key part of this effort will be defining the “metaverse” to scope the effort and identify the relevant stakeholders.
2. Encourage XR companies to adopt security frameworks and standards. Companies involved in the XR ecosystem should adopt and implement existing cybersecurity frameworks. This could include the NIST Cybersecurity Framework, the Cybersecurity & Infrastructure Security Agency’s (CISA) Cross-Sector Cybersecurity Performance Goals, or the Center for Internet Security’s Critical Security Controls.¹ Adopting these standards does not necessarily mean their technologies will be secure, but it does improve their company’s enterprise security, making it harder for malicious actors to gain access to their networks and infiltrate users’ systems.
3. Adopt stringent user authentication and zero trust authentication models. With XR customers generating significant amounts of sensitive data, it will be imperative that strong log-in controls and access controls within XR companies and MSPs storing XR-generated data. Examples abound on how to strengthen user authentication from multi-factor authentication, complicated passwords, and Fast Identity Online keys are models for strengthening user authentication, but companies should make these default settings rather than an opt-in service. While biometric logins have become increasingly popular, security practitioners should consider their appropriateness for logging into XR technologies. Additionally, XR companies and MSPs should implement zero trust authentication (ZTA) models into their systems to limit employee access to user data and other sensitive information. Employees have previously abused their unfettered access to user data, and ZTA can help prevent unauthorized access to that data.² Similarly, if an employee’s account gets hacked, ZTA will make it difficult for a bad actor to access user and company data.
4. Leverage secure by design, secure by default principles. XR companies should look at CISA’s Secure by Design, Secure by Default Principles to ensure that their products are built with security in mind and have security features that are easily accessible by the consumer.³ Just as a car is secure by design due to airbags and automatic brakes and secure by default because of its seatbelts, XR technology providers must ensure that they are using proper memory safety code (secure by design) with multi-factor authentication enabled for logins (secure by default). This can also be extended to improving users’ data privacy, in which XR platforms could detail in layman’s terms the data it collects, how it is stored, for how long, and who has access to it.⁴ The U.S. government should also work with the U.K., which included secure by design as a high-level principle in their Consultative Response Paper and signed onto CISA’s principles, to further encourage companies to adopt these principles.⁵
5. Get buggy with coordinated vulnerability disclosures and bug bounties. The U.S. government should encourage security researchers to engage in U.S. government coordinated vulnerability disclosure (CVD) processes to safely and productively disclose vulnerabilities and coordinate mitigation efforts. Similarly, XR companies should adopt bug bounty programs to pay individuals if they find a vulnerability in their system. Meta, for example, has bug bounty programs for their Meta Quest controllers and pays up to $300,000 for certain vulnerabilities.⁶ The combination of U.S. government and private-sector CVD programs will help security researchers find vulnerabilities formally and safely without fear of retaliation.
6. Lead in developing international standards. The U.S. government must work with its private-sector partners in the international community to develop security and other standards to counter China’s efforts to lead international standards. The U.S. government must learn from its mistake in 5G and proactively work with associations and companies to engage in international standards conversations, similar to the EU Commission's collaboration with the VR/AR Coalition. The Metaverse Standards Forum, for example, includes companies like Adobe, Qualcomm, Epic Games, Meta, and others and is exploring how Standards Developing Organizations could be leveraged to create interoperability standards. The U.S. government can also collaborate with the XR Association, which has companies such as Google, Microsoft, Sony, and others to collectively tackle XR issues. The U.S. government can work with these private companies and associations to engage in the UN’s ITU Focus Group on the Metaverse, work to place U.S. members in leadership positions, and counter China’s efforts in standards development.
7. Copy a page from our European friends and examine regulation. While Washington may be pilloried for discussing regulation, policymakers must assess what existing regulations apply to XR, which ones need to be modified, and the gaps in regulation that need to be filled with new regulatory laws. The European Council found that their “existing regulations don’t cover XR technology and the lack of globally accepted standards further contribute to security and interoperability issues,” and it is likely that the United States will have a similar discovery.⁷ U.S. policymakers would be wise to not ignore regulation as a tool in their toolbox. This would also be consistent with the 2023 U.S. National Cybersecurity Strategy, which states that “new authorities will be required to set regulations that can drive better cybersecurity practices at scale.”⁸
8. Copy a page from our Asian allies and examine financial incentives. Similar to how South Korea and Japan are directly investing in their XR sectors, the U.S. government should build off the strategy described above to determine how existing grants could be used to build the U.S. XR ecosystem. This includes looking at grants within the Infrastructure Investment and Jobs Act, the CHIPS Act, and the Inflation Reduction Act to determine whether it would be appropriate to invest in XR technologies.
9. (Finally) do something about privacy. Any cyber incident, regardless of technology, has the potential to directly or indirectly compromise privacy. Realizing that Congress has failed for years to pass any meaningful legislation on data privacy, the sheer amount of sensitive information produced by XR will be greater and more sensitive than that previously generated by internet-enabled devices. This is a prime issue for the Reality Caucus to explore, and industry partners should examine reports published by the X Reality Safety Intelligence, the IEEE, and others that offer in-depth solutions to the privacy challenge.⁹
10. Incorporate XR companies into the critical infrastructure ecosystem. The U.S. government should consider including XR technologies in the IT critical infrastructure sector so that it could leverage certain critical infrastructure authorities, forums, and information sharing protocols to enhance cybersecurity efforts. The U.S. government currently recognizes 16 critical infrastructure sectors, including a sector solely dedicated to IT that presumably includes some XR players like Apple, Microsoft, and Meta. However, this may not include other companies focused solely on XR technologies. Including them in the IT sector or making an XR subsector will help the government to better engage these companies as a collective and enable these companies to have a unified voice to communicate with the government. This relationship would not be built overnight. One way to build trust is to facilitate information sharing between the government and industry. XR companies, for example, should be made aware and taught how they could lean on the information sharing protections detailed in the Cybersecurity Information Sharing Act of 2015. Additionally, XR companies could consider creating an information sharing analysis organization initially, and, if it became a subsector, an information sharing analysis center to facilitate that information sharing.