Code Red Scenario: Department of Public Services Crisis

Department of Public Services: State agency serving 2.5 million citizens, managing 40+ government service websites

Worm • Code Red

STAKES

Citizen service delivery + Government operations + National security implications + Public trust

HOOK

The Department of Public Services is managing peak tax season traffic when their IIS servers hosting citizen portals for tax filing, license renewals, and benefit applications begin displaying defacement messages. The compromised government servers are now participating in coordinated internet attacks, creating both immediate service disruption and serious national security concerns.

PRESSURE

Tax filing deadline in 48 hours - citizen service disruption affects millions + Government infrastructure compromised threatens national security

FRONT • 150 minutes • Expert

Department of Public Services: State agency serving 2.5 million citizens, managing 40+ government service websites

Worm • Code Red

NPCs

Director Margaret Foster (Agency Director): Managing critical citizen services during tax season while addressing national security implications of government infrastructure compromise
Captain James Mitchell (Information Security Officer): Coordinating with federal cybersecurity agencies about government server compromise and participation in internet-wide attacks
Sarah Reynolds (Public Services Manager): Managing citizen communications as tax filing, license renewal, and benefit portals display defacement messages instead of government services
Agent Nicole Park (FBI Cyber Division): Investigating potential national security implications of government infrastructure participating in coordinated internet attacks

SECRETS

Government agency delayed IIS patches during tax season to avoid disrupting critical citizen services
Citizen service portals and government infrastructure share vulnerable web servers without proper security segmentation
Government servers are now participating in coordinated attacks against other government and critical infrastructure targets

Scenario Details for IMs

Opening Presentation

“It’s Tuesday morning at the Department of Public Services during the final 48 hours of tax season, with millions of citizens trying to file taxes and access government services online. Instead of tax portals and license renewal systems, government websites are displaying ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ Federal cybersecurity agencies are calling because the state’s government servers are now attacking other government infrastructure across the internet.”

Initial Symptoms to Present:

“Tax filing portal displaying defacement message instead of citizen tax services”
“License renewal and benefit application websites showing identical compromise messages”
“Government IIS servers generating massive scanning traffic targeting other government agencies”
“Federal agencies reporting attacks originating from state government infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

Government network forensics reveal buffer overflow exploitation targeting citizen service infrastructure
Public service system analysis shows memory-only worm infection across government web servers
Tax season timeline analysis indicates compromise during peak citizen service demand

Protector System Analysis:

Government network monitoring reveals infected servers attacking federal infrastructure and other agencies
Citizen service system assessment shows delayed patch management affecting critical government operations
National security analysis indicates potential classified system exposure through government network compromise

Tracker Network Investigation:

Internet traffic analysis reveals government infrastructure participating in coordinated attacks against critical infrastructure
Government network communication patterns show coordination with other infected government and military systems
Federal coordination reveals multi-agency impact and national security implications

Communicator Stakeholder Interviews:

Citizen communications regarding tax filing disruption and government service unavailability
Federal agency coordination about government infrastructure attacks and national security implications
Public trust management through transparent communication about government cybersecurity incident

Mid-Scenario Pressure Points:

Hour 1: 500,000 citizens unable to file taxes due to defaced government portals with 48-hour deadline approaching
Hour 2: Federal agencies report state government servers attacking Department of Defense and critical infrastructure
Hour 3: Governor’s office demands immediate restoration of citizen services and explanation of security failure
Hour 4: News media reports government cybersecurity incident affecting citizen services and national security

Evolution Triggers:

If response exceeds 24 hours, citizens miss tax filing deadline creating massive public service crisis
If government network isolation fails, infection spreads to other agencies and classified systems
If federal coordination is inadequate, government infrastructure continues participating in attacks against national security targets

Resolution Pathways:

Technical Success Indicators:

Emergency patch deployment stops worm propagation across government web infrastructure
Citizen services restored through secure backup systems maintaining tax filing deadline
Government servers removed from coordinated attack network through federal cybersecurity coordination

Business Success Indicators:

Government operations maintained with minimal impact on citizen services and tax season completion
Public trust protected through transparent communication and professional incident management
Federal relationships maintained through coordinated response and national security cooperation

Learning Success Indicators:

Team understands government infrastructure’s critical role in national cybersecurity
Participants recognize government cybersecurity responsibilities during critical service periods
Group demonstrates coordination between citizen service delivery and national security obligations

Common IM Facilitation Challenges:

If National Security Implications Are Minimized:

“Your citizen service restoration is important, but Agent Park just reported that your government servers are attacking Department of Defense infrastructure. How does this change your response priorities and coordination requirements?”

If Citizen Impact Is Ignored:

“While you’re coordinating with federal agencies, Sarah has 500,000 citizens calling about tax filing with the deadline in 36 hours. How do you balance national security response with critical citizen service delivery?”

If Government Responsibility Is Overlooked:

“Captain Mitchell discovered that your compromised servers are attacking other state agencies and federal systems. How do you address your government’s role in attacking other government infrastructure?”

Success Metrics for Session:

Team understands government infrastructure’s national security responsibilities
Citizen services and public trust maintained as priority throughout incident response
Federal coordination demonstrates understanding of government cybersecurity obligations
Learning includes government web services security and national security implications
Response strategy balances immediate citizen needs with national security coordination