September 2001
The Mason Gazette

Explosion in Cybercrime		  

Explosion in Cybercrime Spotlights Information Security

By Robin Herron

This past June, a federal grand jury in California indicted a Russian computer hacker for breaking into computer systems, stealing credit card information, and attempting to extort from the victim companies fees for "computer security services." This case was just one among thousands of cybercrimes prosecuted by the U.S. Department of Justice this year. And the number of cybercrimes is growing. Statistics compiled by the Justice Department's computer crime division show 21,756 incidents in 2000 compared with just 6 in 1988.

Computer security breaches come in various forms, from teenagers hacking into computer systems just for fun, to elaborate schemes calculated to steal thousands of dollars. Other cybercrimes involve the theft of intellectual property and threats to national security.

In response to the explosion in cybercrime, companies have sprung up to handle the security needs of businesses and other organizations, and universities, such as George Mason, are training students in computer security and researching new methods of preventing security failures. This response has spawned an industry known as information assurance, or IA, whose emerging technologies encompass the research, development, and modeling that support defenses against information warfare or attacks against computer and network system vulnerabilities.

At George Mason's Center for Secure Information Systems (CSIS) within the School of Information Technology and Engineering (IT&E), faculty and researchers are involved in all aspects of IA. "The breadth and depth of our research distinguishes our center from others," says CSIS Director Sushil Jajodia. "We receive visitors from all over the world," he adds.

Founded in 1990, CSIS was the first center at a U.S. university dedicated to this type of security. Since then, the center has expanded its scope of research, its faculty, and its relationships with government and industry. In 1999, the center was among the first group of seven universities in the country to be named a Center of Academic Excellence in Information Assurance Education by the National Security Agency.

In the May 2001 Information Security magazine, George Mason was cited as having one of "the most highly regarded university programs in the world," offering students interested in information security such options as a graduate certificate in information systems security, an M.S. in Information Systems or Software Engineering, and a Ph.D. in Information Technology or Computer Science with information security as the focus.

The university's reputation in the field of information security recently led to a teaming agreement with EDS, a leading service company that provides consulting, electronic business solutions, business process management, and systems and technology expertise to business and government clients around the world. According to Eugene Norris, director of professional education programs in IT&E, the agreement with EDS might call for George Mason to conduct analyses or studies, prepare reports, develop curriculum and course work for IA-related topics, or conduct classes or present briefings to various academic or industry forums.

CSIS already has corporate sponsors--the MITRE Corporation, Veridian, and Microsoft Research to name a few--as well as relationships with such government departments as the U.S. Department of Defense, the U.S. Army, and the U.S. Air Force. These relationships are mutually beneficial, says Jajodia.

"One successful area of research has been in applying data mining techniques for intrusion detection," says Jajodia. "Another is in steganography, a technique for identification of images hidden within other images. We have a new solution that is very efficient." Jajodia adds that CSIS is in the process of applying for patents on several of these techniques.

Other current research projects include critical infrastructure protection, web security, design techniques for secure database systems, flexible access control models and mechanisms, secure electronic commerce, protection from malicious code, and digital watermarking, a process of marking images as a protection against copyright infringement.

In addition to CSIS, another IA research laboratory housed within IT&E is the Cryptography and Network-Security Implementations Laboratory headed by Kris Gaj. This lab recently researched the hardware performance of the new Advanced Encryption Standard candidates and developed an acceleration process for encryption.

IT&E's Laboratory for Information Security Technology (LIST), headed by Raui Sandhu, is also involved in IA research. Since its inception in 1995, LIST has become a world leader and pioneer in role-based access control (RBAC). The National Institute of Standards and Technology is currently developing an RBAC standard largely based on LIST research. LIST has also been active in digital rights management.

IT&E's IA research efforts thus far are only the beginning. "Our goal is to bridge the gap between academia and industry by bringing the best engineering practices and research to bear on the security problem," says Jajodia. "Ultimately, we want to transfer the technology through publications, tools, consulting, and seminars."