Expert Take: Securtiy Guru Ian Thornton-Trump on Web3 and the Metaverse

Q&A with Ian Thornton-Trump, chief information security officer at Cyjax, a threat intelligence solutions provider.

Ian Thornton-Trump is the chief information security officer at Cyjax, a threat intelligence solutions provider. Thornton-Trump served in both the Canadian Military Intelligence Service and the Canadian Forces Military Police Reserves. After spending a year with the RCMP as a criminal intelligence analyst, he worked as a cybersecurity analyst and consultant for multinational insurance, banking and regional health care organizations. He currently teaches cybersecurity and IT business courses, and he's the lead architect for CyberTitan, Canada's effort to encourage the next generation of cyber professionals. We recently got to ask him the following questions

ESJ: How are you characterizing the metaverse in the emerging third generation of the World Wide Web?
Thornton-Trump: It's essentially a virtual world, a digital twin, if you will, of our physical world. It's all kinds of brand spanking new, though conceptually, it's nothing new to the gaming community. It's similar to what was envisioned in the movie Ready Player One. It's the realization of where computer technology has been pushing us, and it pulls in a bunch of different virtual elements, from augmented reality to the entire NFT and crypto environment.

Are the blockchain technologies that underpin the next generation of the Web secure?
The idea here is to have a public ledger that attributes ownership. I'm really of the opinion that this is a result of the failed attempts at digital rights management dating all the way back to when Sony tried to put malware on your machine to control copying music. The public ledger approach is a solid one, but we're moving into territory with rapidly evolving technology, and there are tremendous vulnerabilities within the smart contract and the blockchain environment. For one thing, it runs on hardware, which means there's an inherent level of unreliability. Servers crash. Amazon goes offline. Panic ensues.

And even in a virtual world, real crimes happen -- theft, fraud, inappropriate behavior. And a completely virtual world will likely be under the governance of a corporation. Finding evidence of criminal activity in the virtual world will be extremely difficult. I mean, that's hard to do in the physical world, let alone Web2-plus. No one should get the idea that Web3 is going to be any more, you know, secure, in that sense.

"A universal online bill of rights or constitution to govern behavior is really challenging in the best of times. And these aren't the best of times, so I don't really feel that we're going to have a particularly effective governance framework porting itself into Web3."

Ian Thornton-Trump, Chief Information Security Officer, Cyjax

Are there risks in this scenario?
Oh, sure. People are buying up "real estate" within a virtual world so they can be neighbors with celebrities. The U.K. just decided that NFTs are property that can be seized by the government. But as we rush into this space, we should keep in mind that if a corporation controls a virtual world, it gets a piece of every transaction that goes through it. That's a virtual (pardon the pun) license to print money because you can manipulate and prefer people who decide to take the "gold" or "platinum" virtual world package, and they can market their own content and virtual products. So, there are going to be questions around antitrust. When a company controls a virtual world, isn't that a monopoly by definition?

Are you optimistic that there's a universal standard for Web3 on the horizon?
I'm a bit pessimistic, actually. Universal governance is challenging because of cultural differences between nations, and even within nations. Some things that are acceptable behavior in the physical world in one country are almost certainly not acceptable in a bunch of other countries. Think about how LGBTQ rights differ, and how minority treatment aligns historically. So, a universal online bill of rights or constitution to govern behavior is really challenging in the best of times. And these aren't the best of times, so I don't really feel that we're going to have a particularly effective governance framework porting itself into Web3.

Let's be really clear here: The metaverse is not emerging from the benevolence of the enterprise for the benefit of its users. And so, I will say this: If there is an opportunity for a corporation to make money in the metaverse from providing something approaching an online governance standard, they will jump on that bandwagon. That's sort of the cross-consumerism of any profit-focused organization.

Also, I see this as moving hard and fast into a lot of industrialized G20 countries that have the massive compute power this evolution will require, but it will be difficult to onboard countries that not only lack this level of technology infrastructure, but have real challenges in the physical world. And now we're asking them to join us in his virtual world? Even those that are able to join must be hesitant if it's all under a corporate American banner.

So, generally speaking, how do companies prepare for the coming of Web3?
They should be exploring the idea, talking with consultants who understand thoroughly where we are today and can see clearly where we're going. And certainly, the VC community has begun to identify opportunities to make gobs of money. But they should also look at issues of social responsibility because that's going to be a vulnerability if they don't.

Should companies be looking into hiring now for Web3? Should developers be ramping up their skills with Web3 in mind?
Web3 and the associated technologies are opening up a whole new chapter, if you will, in software development. It's a real sea change. Marketplace and VC companies have already put about $10 billion into this space, and we're talking about trillions down the road. So, we're going to need a lot more people to build it. And then we're going to need a lot more people to protect it.

Companies are going to be looking at this space for revenue opportunities from a traditional IT point of view, but we're going to need a whole bunch of talents and skills sets that haven't been invented yet. The tricky part, I think, is that they will need to develop and maintain skills that transcend the physical and virtual worlds.

Are there specific areas managers and developers should be looking at when it comes to development skills?
There will be growing focus on availability and resilience because you can't reboot a virtual world. I think there's going to be growing demand for skills in digital forensics -- finding what went wrong and holding people accountable. There will continue to be growing demand for the ability to leverage behavioral science around AI, as well as ethics in machine learning. I mean, what are normal behaviors in the virtual world? And right now, Web3 is an incredibly nerdy experience, but we'll get past that, and all this is going to be mainstream.

About the Authors

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at

Gladys Rama (@GladysRama3) is the editorial director of Converge360.

Must Read Articles