In September 2021, as a result of the Department of Home Affairs’ call for views against the ‘Strengthening of Australia’s Cyber Security Regulations and Incentives’ discussion paper, the OCSC lodged its submission and shared its evidenced based perspective on how to best address some of the gaps, challenges and opportunities in strengthening the Australian cyber security regulations and incentives environment:

In this submission we propose that Australia’s regulatory framework for cyber security and associated incentives are currently overly complex, sectoral, and generally not fit for purpose. Therefore, steps should be taken to remedy the current framework to ensure greater coherency. Reform should also be tailored towards providing a clear outline of cyber security best practices, resolving the current regulatory gaps, introduce measures of accountability, and finally, provide remedies. Overall, the workability of the current framework needs to be developed through repackaging, expansion in scope, and education.

Read the full submission.

In September 2020, the OCSC team, and the OCSC CMM Ambassador’s responded to the Australian Department of Home Affairs call for submissions on ‘Protecting Critical Infrastructure and Systems of National Significance’. With the underlying theme of ‘defining the new frontier’ – the OCSC submission provided snippets of OCSC’s collective cyber security multi-dimensional subject matter expertise, their thoughts and various recommendations on actions and solutions:

Protecting what is critical to Australia’s sovereignty requires looking beyond our own borders to include our neighbours and partners. Setting clear parameters on what defines critical infrastructure and what constitutes effective national security governance must be considered at a national and international level. Our submission provides specifically researched and referenced examples of where frameworks, definitional aspects and enhance information sharing could assist the government to achieve this objective. A starting point as articulated in our response to Question 24 would be to conduct a Cybersecurity Capacity Maturity Model for Nations (CMM) review for Australia to assess the technical and non-technical dimensions of Australia’s critical infrastructure assets related to cybersecurity, with a view to build an evidence base, independent from government and industry, around best-practice responses to advanced and persistent threats. This would add to the intentions of the Critical Infrastructure Program for Modelling and Analysis (CIPMA) and would provide the necessary research, threat, data and risk analysis required to provide a more detailed depiction of the threat environment and subsequently contribute to better policy outcomes.

Read the full published submission.

In November 2020 the OCSC responded to the Australian Department of Home Affairs call for submissions on ‘Critical Technology Supply Chain Principles’. OCSC’s subject matter experts; A/Prof. Carsten Rudolph, Prof. Iqbal Gondal and Dr. James Boorman addressed and informed various questions posed:

Governments need to play an important role in addressing the security of supply chain systems for critical processes such as critical technology and food security. However, it is not clear what the Government considers to be critical technology. It will be important to develop a clear definition with criteria and examples for determining what is considered critical technology. This definition should involve widespread consultation, though care must be taken to avoid an all encompassing definition which loses focus on protecting what is important. An unnecessarily strict regulation of supply chains stifles innovation and limits the ability of organisations to compete on a global scale.

Read the full submission.

Building cyber resilience for a nation requires coordination of multi-stakeholders, local and regional contextualisation and the use of a multi-dimensional approach. These facets are just some of the key fundamental ingredients that should be considered as nations review their existing capabilities and their operating environments, further assisting in the set-up of strong foundations in the development of national cyber security visions and strategies.

In keeping with the CMM approach of understanding the current baseline of cyber security capacity in building effective cyber resilience, in June 2020, the OCSC answered the call from the Department of Foreign Affairs and Trade (DFAT) to provide thought leadership input into the Cyber and Critical Technology International Engagement Strategy (CCTIES).

OCSC’s Director of Research, Associate Professor Carsten Rudolph and the Head of Department for Software Systems and Cybersecurity in the Faculty of Information Technology at Monash University, and Dr James Boorman, OCSC’s Head of Research and Capacity Building, identified what components are essential to the development of Australia’s national cybersecurity, the security of the region and the security of Australia’s global allies.

Read the full submission.

Academic Publications

A. Professor Carsten Rudolph, OCSC’s Director of Research, contributed his thought leadership in a submission for the ‘Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy’.

His peer reviewed and published article talks about ‘We Can Pay Less: Coordinated False Data Injection Attack Against Residential Demand Response in Smart Grids’.


“Advanced metering infrastructure, along with home automation processes, is enabling more efficient and effective demand-side management opportunities for both consumers and utility companies. However, tight cyber-physical integration also enables novel attack vectors for false data injection attacks (FDIA) as home automation/ home energy management systems reside outside the utilities’ control perimeter. Authentic users themselves can manipulate these systems without causing significant security breaches compared to traditional FDIAs. This work depicts a novel FDIA that exploits one of the commonly utilised distributed device scheduling architectures. We evaluate the attack impact using a realistic dataset to demonstrate that adversaries gain significant benefits, independently from the actual algorithm used for optimisation, as long as they have control over a sufficient amount of demand. Compared to traditional FDIAs, reliable security mechanisms such as proper authentication, security protocols, security controls or, sealed/controlled devices cannot prevent this new type of FDIA. Thus, we propose a set of possible impact alleviation solutions to thwart this type of attack.

Access the full publication here.

Your Content Goes Here

In December 2020, senior research university members and staff collaborated to submit and article at the 2020 IEEE 6th International Conference of Collaboration and Internet Computing.

Professor David Watts (La Trobe) and A. Professor Carsten Rudolph and A. Professor Gillian Oliver (Monash University), wrote about ‘What Information is Required for Explainable AI?: A Provenance-based Research Agenda and Future Challenges‘.


“Deriving explanations of an Artificial Intelligence-based system’s decision making is becoming increasingly essential to address requirements that meet quality standards and operate in a transparent, comprehensive, understandable, and explainable manner. Furthermore, more security issues as well as concerns from human perspectives emerge in describing the explainability properties of AI. A full system view is required to enable humans to properly estimate risks when dealing with such systems. This paper introduces open issues in this research area to present the overall picture of explainability and the required information needed for the explanation to make a decision-oriented AI system transparent to humans. It illustrates the potential contribution of proper provenance data to AI-based systems by describing a provenance graph-based design. This paper proposes a six-Ws framework to demonstrate how a security-aware provenance graph-based design can build the basis for providing end-users with sufficient meta-information on AI-based decision systems. An example scenario is then presented that highlights the required information for better explainability both from human and security-aware aspects. Finally, associated challenges are discussed to provoke further research and commentary.

Access the full publication here.

In October 2020 the Taylor and Francis Group specialising in eBooks across a range of subject areas, published the book Artificial Intelligence and the Law, Cybercrime and Criminal Liability.

We are delighted to share that Chapter 3 of Artificial Intelligence and the Law is written by our CMM Ambassador Professor Jonathan Clough (Monash University) and Chapter 9 written by CMM Founding Director and member of OCSC’s Advisory Board, Professor Sadie Creese (University of Oxford).

Abstract: Chapter 3 “Between prevention and enforcement: the role of “disruption” in confronting cybercrime”.

“This chapter discusses the nature of disruption and its application in the context of cybercrime, with a particular focus on legal frameworks. It begins with the nature of disruption and the role of intelligence in disruptive practices, before providing examples of how disruption may apply in the context of cybercrime. The chapter considers three contexts in which legislative action may be required in order to provide both the necessary legal powers and appropriate oversight. These are: the need for criminal offences that support disruptive techniques, investigative powers that may be utilised for disruptive purposes and provisions that support transnational cooperation. Since the early 1990s, policing agencies have increasingly moved away from a reactive prosecution-directed mode of crime control towards a form of policing known as intelligence-led policing. Because of its more proactive nature, intelligence-led policing lends itself not only to crime prevention and reduction, but to the use of other techniques to disrupt criminal activity without necessarily proceeding to prosecution.

Media Publications

In October 2021, Mr. Cameron Boardman, Director of the OCSC, was invited to contribute his perspective on cybersecurity concerns in the Pacific and policy thought leadership by the UK based Commonwealth Security Group (CSG) for their Commonwealth Security Review: Emerging Technology Insights 2021.

The CSG is a think tank formed to promote security corporation across the Commonwealth. Their aim is to provide a platform for all stakeholders, within the public or private sector, to influence security decisions at both the policy and business level.

The CSG is rooted in the Commonwealth charter on peace and security. Through their specialist programmes, events, research, and publications, the SCG seeks to build multi-stakeholder partnerships, inform security policy, and promote the Commonwealth committee as an engine for addressing security challenges.

In the 2021 edition, Cameron discusses OCSC’s work in the Pacific region and the role it continues to play since the Centre opened its doors in 2016, the impact the Cyber Security Capacity Maturity Model for Nations (CMM) is having, and his perspectives on the global cyber security policy making environment:

“There is not a singular way to implement digital change and that each country specific circumstances, culture and geography must be taken into consideration at every level of the policy development phase”

“Until we get the fundamentals of appropriate regulatory systems that can adequately respond to violations, it is going to be very difficult to prove cyber security world over”

Enjoy reading the full Emerging Technology Insight publication or read the OCSC extract only.

Your Content Goes Here

Ms. Kate Pacalt-Shady (Head of Marketing and Communications) and Dr. James Boorman (Head of Research and Capacity Building) collaborated with OCSC’s Global Constellation (GC) partners, the Global Cyber Security Capacity Centre (GCSCC) and the Cybersecurity Centre for Southern Africa (C3SA) to inform and co-author an article on the GC’s impact in the area of cyber security capacity building, and how this unique three way partnership provides for a wider berth in reach to drive the CMM deployment mandate. The GC lead the deployment of the CMM in their respective regions, and provide a point of contact for international partners and regional governments seeking to engage in the CMM review.

The article was written for the Global Cyber Expertise Magazine (8th Edition) audiences, and contributed its dialogue to the agenda for better global collaboration and coordination in cyber capacity building, the related projects, and touches on the independent findings, from an external study commissioned by the UK Foreign, Development & Commonwealth Office (UK FCDO) in 2020:

The CMM reviews…. “drove enhanced awareness and capacity building in the area of cybersecurity, provided a foundation for the national cybersecurity strategy development and improved credibility of the cybersecurity agenda within governments.” Countries from all parts of the world also expressed that “the CMM helped to define roles and responsibilities within government, resulted in increased funding for cybersecurity capacity building and underpinned capacity building programs by international partners.” Read the full article on page 62.

In June 2020, the OCSC team were invited by the Australian Information Security Association (AISA), to contribute a thought leadership article in AISA’s newly established Cyber Today Magazine (Edition 2). The thought leadership article was titled ‘The regional threat: coordinating a better response’, and discussed Australia’s cyber threat landscape and how the OCSC is helping to strengthen cyber security capacity building in the Pacific region.

The article also discussed areas of OCSC’s submission to the Department of Foreign Affairs and Trade (DFAT) on the Cyber and Critical Technology International Engagement Strategy, providing readers with an understanding on OCSC’s stance and perspectives from OCSC’s subject matter expertise. It highlights strategic recommendations that contribute in off-setting national security risk exposures, and how to build resilience into Australia’s regionalised cyber security operating environment.

“The OCSC submission stated that the key to international cyber and critical technology objectives should be to build sustainable resilience, ensure integrity of information and technology, and strengthen relationships. At minimum, these objectives should include the consideration of capacity, supply chain, natural disasters and pandemics, and purposive, persistent and incidental attacks. OCSC further advised that the national cyber security strategy should position and establish a region-wide systemic view on cyber security and technology risks, and should support nations with their individual risk assessments and treatment plans. This is particularly important for digital transformation in developing countries in the Asia-Pacific region. Building a stronger region is important to reduce cyber harm to Australia and our partner countries”.

Read the full story on page 68.

In June 2021, Dr. James Boorman (Head of Research and Capacity Building) was invited to write about his experience of performing a remote Cybersecurity Capacity Maturity Model for Nations (CMM) review in the Pacific region during the COIVD-19 pandemic.

The article was written for the Global Cyber Expertise Magazine (9th Edition), which aims to provide cyber policymakers and stakeholders insight on cyber capacity building projects, policies and developments globally.

Read the full article on page 24.

In June 2022 Associate Professor Carsten Rudolph (Director of Research), James Boorman (Director of Research and Capacity Building) and Professor Monica Whitty (Monash University) were invited to discuss the role of cybersecurity within Pacific security and how OCSC is helping to build the capacity of Pacific Island states so they can better understand and strengthen their digital resources.

“The Pacific faces numerous challenges, such as the threat of climate change and major powers jostling for influence in the region. Against these adversities, Pacific countries have shown determination to preserve their own (and the region’s) identity and sovereignty.

One less-appreciated aspect of Pacific security is cybersecurity. Some cyber threats are financially motivated, such as ransomware or phishing attacks, but others aim at critical infrastructure. Still other attacks threaten society and democratic processes through spreading misinformation and disinformation.”

Read the full article here: Cybersecurity in the Pacific: how island nations are building their online defences (

In June 2022 Associate Professor Carsten Rudolph (Director of Research) joined ABC Radio’s Pacific Beat program for a broad ranging discussion on the digital vulnerabilities Pacific Island nations are facing and what can be done to help build cyber resilience at an individual and national level.

Listen to the full interview here: Pacific countries increasingly vulnerable to cyber security attacks, experts say – Pacific Beat – ABC Radio Australia


Dr. James Boorman (Head of Research and Capacity Building) was part of the project team who developed the GOAT in collaboration with GCSCC, GFCE, UN International Telecommunication Union (ITU), Potomac Institute for Policy Studies (PIPS), e-Governance Academy (eGA) and the Organization of American States (OAS).

Published by the Global Forum on Cyber Expertise (GFCE), the document aims to assist in the decision-making process by providing a comprehensive overview of the different cyber capacity assessment tools, their approaches, benefits and outputs, and what to do and whom to contact if a country wishes to be assessed.

Read the full document here.