The United States and the Metaverse

The United States government, in contrast to the EU, South Korea, and China, has largely ignored the rising cybersecurity implications of the metaverse and China’s efforts to lead in this space. Admittedly, the U.S. government has issued several strategies on national security, emerging technology, and cybersecurity that could impact the security of XR technologies. The 2022 National Security Strategy details that technology is “central to today’s geopolitical competition and to the future of our national security,” and highlights the importance of competing against China in the tech marketplace.¹ The National Standards Strategy for Critical and Emerging Technology also details the importance of the U.S. government working with private-sector partners and academia to lead in Standards Developing Organizations (SDOs) because the failure to do so could have security implications.² This point was also reiterated in the 2023 U.S. National Cybersecurity Strategy, which calls for the need to engage in SDOs “to secure emerging technologies, enable interoperability, foster global market competition, and protect our national security and economic advantage.”³ The strategy also calls for securing supply chains, shifting liability for insecure software on the producers, and ensuring that holders of data are responsible stewards.

None of these strategies mention XR technologies as an emerging technology to keep an eye on.⁴ Arguably, there will be some beneficial cybersecurity impacts on XR technologies if semiconductor supply chains are strengthened and if MSPs can secure the data they store. But without XR detailed in these national strategies, it is unlikely the U.S. government will devote time and resources to specifically address those unique challenges. The National Cybersecurity Strategy’s Implementation Plan, for example, has thorough descriptions on how key parts of the strategy will be implemented, leaving little room—or resources—for deviation.⁵

Looking beyond these national strategies for XR-specific plans also shows that the United States is behind other countries. The Government Accountability Office and CRS have issued a few informational reports on metaverse focused on military applications and privacy concerns, but pass mentions of cybersecurity concerns.⁶ NIST also has an “XR Community of Interest” that convenes subject matter experts whose work ranges from “visualizing crystalline structures to simulating public safety situations, performing usability testing, and creating standards,” but their last “highlights post” was in 2021.⁷

In general, Congress as a whole has taken some steps, but nothing of significance. Congress was initially ahead of the game by creating the “Caucus on Virtual, Augmented, and Mixed Reality Technologies” in May of 2017 to “promote the advancing technologies of virtual reality, augmented reality, and mixed reality to Members of Congress and their staff.”⁸ However, it is unclear what actions the caucus has taken since its inception. A handful of senators—unaffiliated with the Caucus—issued a letter to the Federal Trade Commission (FTC) on VR and children’s privacy, and they urged the FTC to use authorities under the Children’s Online Privacy Protection Act to protect children using VR devices.⁹ In 2022, the House introduced a resolution to make November “National XR Month” to raise awareness of XR’s economic impact. Specifically, the resolution noted that XR “plays an essential role in supporting United States national security objectives, where it is (1) used by the United States military for training programs; and (2) used for emergency preparedness and disaster response and management.”¹⁰ The resolution ultimately failed. Most recently, a bill was introduced in 2023 for the Labor Department to develop “immersive technology education and training programs for workforce development” that includes XR technologies, but it has not seen a vote in the House. Another bill would create a “Bureau of Digital Services Oversight and Safety” in the FTC to create regulations for a number of digital services, including AR and VR. And, apparently under the guise of Great Power Competition, one House member introduced a bill to “prohibit the use of Federal funds by the Department of Health and Human Services to award a grant for any virtual reality platform designed to teach children in China how to cross the street.”¹¹

Although these bills have failed to gain traction in Congress, some XR-related bills have become laws through the National Defense Authorization Act, including:

• Development of a digital health strategy by The Secretary of Defense to incorporate new and emerging technologies and methods, including virtual reality, in the provision of clinical care within the military health system;¹²
• Increased funding for airborne AR for pilot training; and¹³
• An analysis of whether emerging technologies, such as augmented reality, may aid in new shipbuilder training.¹⁴

Regardless of U.S. inaction, the combination of how the metaverse will impact society and other countries’ policy responses to governing XR technologies illustrates that the metaverse is here and will continue to expand. XR technologies promise countless benefits, but the potential pervasiveness of the technology will introduce new vulnerabilities that malicious actors will surely exploit. While society will not collapse if a customer is unable to see how their kitchen would look like with sky blue walls, the incorporation and potential dependency of critical infrastructure and military actions on XR could pose a threat. Indeed, the United States saw a rise in ransomware attacks on schools and health care facilities when society transitioned their lives online with the onset of COVID-19. It is therefore highly likely, if not expected, for malicious actors to find loopholes in hardware and software as XR devices and applications become increasingly popular. The impact could be alarming, ranging from compromised personal data to military espionage. It is time for the United States to take action.