Code Red Scenario: Government Portal Crisis

Code Red Scenario: Government Portal Crisis

State Department of Revenue: State government tax and services portal, 1,200 employees, serving 8M citizens

• Code Red

STAKES

Citizen service delivery + Government operations + National security implications + Public trust

HOOK

The State Department of Revenue is managing peak tax season traffic when their IIS servers hosting citizen portals begin displaying defacement messages instead of tax filing, license renewal, and benefit application services. The compromised government servers are now generating massive outbound scanning traffic and participating in coordinated internet attacks, creating both immediate service disruption and serious national security concerns.

PRESSURE

• Tax filing deadline in 48 hours – citizen service disruption affects millions + Government infrastructure compromised threatens national security

FRONT • 90 minutes • Intermediate

State Department of Revenue: State government tax and services portal, 1,200 employees, serving 8M citizens

• Code Red

NPCs

• Robert Kline (Agency Director): Managing critical citizen services during tax season while addressing national security implications of government infrastructure compromise
• Maria Gonzalez (Information Security Officer): Coordinating with federal cybersecurity agencies about government server compromise and participation in internet-wide attacks
• David Park (Public Services Manager): Managing citizen communications as tax filing, license renewal, and benefit portals display defacement messages instead of government services
• Agent Lisa Montgomery (FBI Cyber Division): Investigating potential national security implications of government infrastructure participating in coordinated internet attacks

SECRETS

• Government agency delayed IIS patches during tax season to avoid disrupting critical citizen services
• Citizen service portals and government infrastructure share vulnerable web servers without proper security segmentation
• Government servers are now participating in coordinated attacks against other government and critical infrastructure targets

Code Red Scenario: Government Portal Crisis

Direction Générale des Finances Publiques: Government financial services portal, 2,000 employees, serving 25M citizens

• Code Red

STAKES

Citizen service delivery + Government operations + National security implications + Public trust

HOOK

The Direction Générale des Finances Publiques is managing peak tax season traffic when their IIS servers hosting citizen portals begin displaying defacement messages instead of tax filing, license renewal, and benefit application services. The compromised government servers are now generating massive outbound scanning traffic and participating in coordinated internet attacks, creating both immediate service disruption and serious national security concerns.

PRESSURE

• Tax filing deadline in 48 hours – citizen service disruption affects millions + Government infrastructure compromised threatens national security

FRONT • 90 minutes • Intermediate

Direction Générale des Finances Publiques: Government financial services portal, 2,000 employees, serving 25M citizens

• Code Red

NPCs

• Jean-Pierre Moreau (Agency Director): Managing critical citizen services during tax season while addressing national security implications of government infrastructure compromise
• Sophie Lambert (Information Security Officer): Coordinating with federal cybersecurity agencies about government server compromise and participation in internet-wide attacks
• Antoine Lefebvre (Public Services Manager): Managing citizen communications as tax filing, license renewal, and benefit portals display defacement messages instead of government services
• Agent Nathalie Dupont (DGSI): Investigating potential national security implications of government infrastructure participating in coordinated internet attacks

SECRETS

• Government agency delayed IIS patches during tax season to avoid disrupting critical citizen services
• Citizen service portals and government infrastructure share vulnerable web servers without proper security segmentation
• Government servers are now participating in coordinated attacks against other government and critical infrastructure targets

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Code Red Government Portal Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Code Red Government Portal Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It’s Tuesday morning at the State Department of Revenue during the final 48 hours of tax season, with millions of citizens trying to file taxes and access government services online. Instead of tax portals and license renewal systems, government websites are displaying defacement messages – ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ Federal cybersecurity agencies are calling because the state’s government servers are generating massive outbound scanning traffic and actively attacking other government infrastructure across the internet.”

“It’s Tuesday morning at the Direction Générale des Finances Publiques during the final 48 hours of tax season, with millions of citizens trying to file taxes and access government services online. Instead of tax portals and license renewal systems, government websites are displaying defacement messages – ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ Federal cybersecurity agencies are calling because the government servers are generating massive outbound scanning traffic and actively attacking other government infrastructure across the internet.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Tax filing portal displaying defacement message instead of citizen tax services”
• “License renewal and benefit application websites showing identical compromise messages”
• “Government IIS servers generating massive scanning traffic targeting other government agencies”
• “Federal agencies reporting attacks originating from state government infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Government network forensics reveal buffer overflow exploitation targeting citizen service infrastructure
• Public service system analysis shows memory-only worm infection across government web servers
• Tax season timeline analysis indicates compromise during peak citizen service demand

Protector System Analysis:

Note🛡️ Protector System Analysis

• Government network monitoring reveals infected servers attacking federal infrastructure and other agencies
• Citizen service system assessment shows delayed patch management affecting critical government operations
• National security analysis indicates potential classified system exposure through government network compromise

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• Internet traffic analysis reveals government infrastructure participating in coordinated attacks against critical infrastructure
• Government network communication patterns show coordination with other infected government and military systems
• Federal coordination reveals multi-agency impact and national security implications

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Citizen communications regarding tax filing disruption and government service unavailability
• Federal agency coordination about government infrastructure attacks and national security implications
• Public trust management through transparent communication about government cybersecurity incident

Mid-Scenario Pressure Points:

• Hour 1: 500,000 citizens unable to file taxes due to defaced government portals with 48-hour deadline approaching
• Hour 2: Federal agencies report state government servers attacking Department of Defense and critical infrastructure
• Hour 3: Governor’s office demands immediate restoration of citizen services and explanation of security failure
• Hour 4: News media reports government cybersecurity incident affecting citizen services and national security

Evolution Triggers:

• If response exceeds 24 hours, citizens miss tax filing deadline creating massive public service crisis
• If government network isolation fails, infection spreads to other agencies and classified systems
• If federal coordination is inadequate, government infrastructure continues participating in attacks against national security targets

Resolution Pathways:

Technical Success Indicators:

• Emergency patch deployment stops worm propagation across government web infrastructure
• Citizen services restored through secure backup systems maintaining tax filing deadline
• Government servers removed from coordinated attack network through federal cybersecurity coordination

Business Success Indicators:

• Government operations maintained with minimal impact on citizen services and tax season completion
• Public trust protected through transparent communication and professional incident management
• Federal relationships maintained through coordinated response and national security cooperation

Learning Success Indicators:

• Team understands government infrastructure’s critical role in national cybersecurity
• Participants recognize government cybersecurity responsibilities during critical service periods
• Group demonstrates coordination between citizen service delivery and national security obligations

Common IM Facilitation Challenges:

If National Security Implications Are Minimized:

“Your citizen service restoration is important, but Agent Lisa Montgomery just reported that your government servers are attacking Department of Defense infrastructure. How does this change your response priorities and coordination requirements?”

If Citizen Impact Is Ignored:

“While you’re coordinating with federal agencies, David Park has 500,000 citizens calling about tax filing with the deadline in 36 hours. How do you balance national security response with critical citizen service delivery?”

If Government Responsibility Is Overlooked:

“Maria Gonzalez discovered that your compromised servers are attacking other government agencies and federal systems. How do you address your government’s role in attacking other government infrastructure?”

Mid-Scenario Pressure Points:

• Hour 1: 500,000 citizens unable to file taxes due to defaced government portals with 48-hour deadline approaching
• Hour 2: Federal agencies report state government servers attacking Ministère des Armées and critical infrastructure
• Hour 3: Matignon demands immediate restoration of citizen services and explanation of security failure
• Hour 4: News media reports government cybersecurity incident affecting citizen services and national security

Evolution Triggers:

• If response exceeds 24 hours, citizens miss tax filing deadline creating massive public service crisis
• If government network isolation fails, infection spreads to other agencies and classified systems
• If federal coordination is inadequate, government infrastructure continues participating in attacks against national security targets

Resolution Pathways:

Technical Success Indicators:

• Emergency patch deployment stops worm propagation across government web infrastructure
• Citizen services restored through secure backup systems maintaining tax filing deadline
• Government servers removed from coordinated attack network through federal cybersecurity coordination

Business Success Indicators:

• Government operations maintained with minimal impact on citizen services and tax season completion
• Public trust protected through transparent communication and professional incident management
• Federal relationships maintained through coordinated response and national security cooperation

Learning Success Indicators:

• Team understands government infrastructure’s critical role in national cybersecurity
• Participants recognize government cybersecurity responsibilities during critical service periods
• Group demonstrates coordination between citizen service delivery and national security obligations

Common IM Facilitation Challenges:

If National Security Implications Are Minimized:

“Your citizen service restoration is important, but Agent Nathalie Dupont just reported that your government servers are attacking Ministère des Armées infrastructure. How does this change your response priorities and coordination requirements?”

If Citizen Impact Is Ignored:

“While you’re coordinating with federal agencies, Antoine Lefebvre has 500,000 citizens calling about tax filing with the deadline in 36 hours. How do you balance national security response with critical citizen service delivery?”

If Government Responsibility Is Overlooked:

“Sophie Lambert discovered that your compromised servers are attacking other government agencies and federal systems. How do you address your government’s role in attacking other government infrastructure?”

Success Metrics for Session:

• Team understands government infrastructure’s national security responsibilities
• Citizen services and public trust maintained as priority throughout incident response
• Federal coordination demonstrates understanding of government cybersecurity obligations
• Learning includes government web services security and national security implications
• Response strategy balances immediate citizen needs with national security coordination

Template Compatibility

Quick Demo (35-40 min)

• Rounds: 1
• Actions per Player: 1
• Investigation: Guided
• Response: Pre-defined
• Focus: Use the “Hook” and “Initial Symptoms” to quickly establish government services crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing worm propagation patterns and government infrastructure vulnerabilities.

Lunch & Learn (75-90 min)

• Rounds: 2
• Actions per Player: 2
• Investigation: Guided
• Response: Pre-defined
• Focus: This template allows for deeper exploration of government cybersecurity challenges. Use the full set of NPCs to create realistic tax season pressures and national security concerns. The two rounds allow Code Red to spread affecting more government services, raising stakes. Debrief can explore balance between citizen services and national security obligations.

Full Game (120-140 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing citizen tax filing deadlines, government operations, national security implications, and federal agency coordination. The three rounds allow for full narrative arc including worm’s government-infrastructure-specific propagation and critical infrastructure attack participation.

Advanced Challenge (150-170 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Complexity: Add red herrings (e.g., legitimate government system updates causing unrelated service disruptions). Make containment ambiguous, requiring players to justify citizen-facing decisions with incomplete information. Remove access to reference materials to test knowledge recall of worm behavior and government security principles.

🌍 Localizing to Other EU Countries

This French variation can be adapted to other EU countries during facilitation. All EU countries share GDPR (72-hour breach notification) but have different regulatory institutions.

When running this scenario for another EU country, substitute these elements:

Country	Data Protection Authority	Cybersecurity Agency	Tax Agency
Germany	BfDI	BSI	Bundeszentralamt für Steuern
Italy	Garante Privacy	ACN	Agenzia delle Entrate
Spain	AEPD	INCIBE	Agencia Tributaria
Netherlands	Autoriteit Persoonsgegevens	NCSC-NL	Belastingdienst
Belgium	GBA/APD	CCB	SPF Finances
Portugal	CNPD	CNCERT	Autoridade Tributária

Notes:

• Germany: Federal structure - may need state-level tax authority (Landesfinanzamt)
• Italy: Regional tax offices have significant autonomy
• Spain: 17 autonomous regional tax systems with different procedures

Government agency names and NPC names are left to the IM's discretion.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “Government network forensics reveal active exploitation of an IIS buffer overflow vulnerability in servers hosting 40+ government service websites. A memory-resident infection is spreading autonomously through government infrastructure, defacing tax portals and government websites with ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ messages during the final 48 hours of tax season.”

Clue 2 (Minute 10): “Federal cybersecurity monitoring shows infected government servers generating massive internet scanning traffic and participating in coordinated attacks against Department of Defense and critical infrastructure targets. System assessment reveals the department delayed IIS patches during tax season to avoid disrupting critical citizen services, creating widespread vulnerability across government infrastructure serving 2.5 million citizens.”

Clue 3 (Minute 15): “Internet traffic analysis reveals government servers attacking other government agencies and federal systems across the internet. Maria Gonzalez reports 500,000 citizens unable to file taxes with 36-hour deadline remaining, while Agent Lisa Montgomery confirms FBI Cyber Division investigation of government infrastructure participating in potential national security threats through coordinated attack coordination.”

Guided Investigation Clues

Clue 1 (Minute 5): “Government network forensics reveal active exploitation of an IIS buffer overflow vulnerability in servers hosting 40+ government service websites. A memory-resident infection is spreading autonomously through government infrastructure, defacing tax portals and government websites with ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ messages during the final 48 hours of tax season.”

Clue 2 (Minute 10): “Federal cybersecurity monitoring shows infected government servers generating massive internet scanning traffic and participating in coordinated attacks against Ministère des Armées and critical infrastructure targets. System assessment reveals the department delayed IIS patches during tax season to avoid disrupting critical citizen services, creating widespread vulnerability across government infrastructure serving 2.5 million citizens.”

Clue 3 (Minute 15): “Internet traffic analysis reveals government servers attacking other government agencies and federal systems across the internet. Sophie Lambert reports 500,000 citizens unable to file taxes with 36-hour deadline remaining, while Agent Nathalie Dupont confirms DGSI investigation of government infrastructure participating in potential national security threats through coordinated attack coordination.”

Pre-Defined Response Options

Option A: Emergency IIS Patching & Federal Coordination

• Action: Immediately deploy emergency IIS patches to all government web servers, isolate infected systems from internet to stop coordinated attacks, restore citizen services from secure backups, coordinate with federal cybersecurity agencies about national security threat cessation.
• Pros: Completely stops worm propagation and ends government participation in attacks against federal infrastructure; enables rapid citizen service restoration for tax filing deadline; demonstrates responsible government cybersecurity practices.
• Cons: Requires complete government web infrastructure patching affecting all 40+ citizen service websites temporarily; some citizen data from tax season may need restoration from backups.
• Type Effectiveness: Super effective against Worm type malmons like Code Red; memory-only worm is eliminated through reboot after patching.

Option B: Prioritized Service Restoration & Citizen Focus

• Action: Quarantine confirmed infected servers, implement prioritized restoration for critical tax filing and license renewal services first, maintain citizen services for unaffected portals while accelerating government-wide remediation and federal coordination.
• Pros: Allows continued citizen access to critical government services; protects tax filing deadline through service-prioritized recovery for most urgent citizen needs.
• Cons: Risks continued worm propagation in non-prioritized government infrastructure; department continues participating in attacks against federal systems during selective restoration; may affect non-essential services disproportionately.
• Type Effectiveness: Moderately effective against Worm threats; reduces but doesn’t eliminate worm presence or coordinated attack participation.

Option C: Complete Infrastructure Shutdown & National Security Priority

• Action: Perform immediate government infrastructure shutdown to eliminate worm and stop attacks against federal systems, coordinate with federal agencies about national security response, rapidly restore all citizen services simultaneously from backups with enhanced security controls.
• Pros: Fastest elimination of national security threat through immediate attack cessation; demonstrates government cybersecurity responsibility through coordinated federal response and information sharing.
• Cons: Requires complete government services downtime affecting all 2.5 million citizens simultaneously during tax season; citizens may miss tax filing deadline without alternative filing methods; doesn’t address underlying IIS vulnerability enabling future reinfection.
• Type Effectiveness: Partially effective against Worm malmon type; eliminates current infection but leaves vulnerability for rapid reinfection without proper patching.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Discovery & Identification (30-35 min)

Investigation Clues:

• Clue 1 (Minute 5): Citizen Services Manager David Park reports hundreds of calls from citizens seeing defacement messages when trying to file taxes online during the final week before April 15th deadline. “Citizens can’t access tax filing, driver’s license renewal, or any of our 40+ government services!”
• Clue 2 (Minute 10): Government IT forensics reveal an IIS buffer overflow being actively exploited across state portal infrastructure. An infection is autonomously spreading through government web servers, defacing citizen service pages with “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!” during peak tax season.
• Clue 3 (Minute 15): State network monitoring shows infected government servers generating massive scanning traffic and participating in coordinated attacks against federal infrastructure including IRS systems and Department of Homeland Security networks.
• Clue 4 (Minute 20): IT Security Director Maria Gonzalez reveals that IIS patches were delayed to avoid disrupting critical tax season services. “We couldn’t risk downtime during the week before tax filing deadline when millions of citizens need access.”

Response Options:

• Option A: Emergency Service Reboot - Immediately reboot all infected government servers to clear memory-only worm, restore citizen services from backups, delay comprehensive patching until after tax filing deadline.
  • Pros: Fastest path to citizen service restoration; minimal tax season disruption; maintains filing deadline access for citizens.
  • Cons: Doesn’t patch underlying IIS vulnerability; servers will be reinfected within hours; continues attacks on federal infrastructure.
  • Type Effectiveness: Partially effective – clears current infection but leaves reinfection vector open.
• Option B: Prioritized Critical Services Patching - Patch tax filing and driver’s license renewal systems first (highest citizen demand), quarantine remaining infected services, restore in priority order.
  • Pros: Protects most critical citizen services; balances security with public service mission; enables controlled restoration.
  • Cons: Non-essential services remain compromised; differential service availability may affect vulnerable populations; partial federal attack participation continues.
  • Type Effectiveness: Moderately effective – stops propagation in patched systems but worm remains active in others.
• Option C: Full Shutdown & Manual Filing - Isolate entire government portal from internet to stop federal attacks, provide manual/phone tax filing alternatives, defer digital service restoration until post-deadline.
  • Pros: Stops attacks on federal infrastructure immediately; enables systematic patching; demonstrates government cybersecurity responsibility.
  • Cons: Forces 2.5 million citizens to manual filing alternatives; overwhelms phone systems; elderly and disabled citizens face accessibility barriers.
  • Type Effectiveness: Moderately effective – contains threat but shifts burden to citizens and alternative systems.

Round 2: Scope Assessment & Response (30-35 min)

Investigation Clues:

• Clue 5 (Minute 30): If Option A (reboot only) was chosen: Within 2 hours, government portal is reinfected. Federal agencies report state systems are attacking IRS and Department of Homeland Security infrastructure. “Department of Homeland Security is demanding explanation for attacks originating from state government networks.”
• Clue 5 (Minute 30): If Option B or C was chosen: Analysis shows tax filing services restored but 100,000 citizens unable to access driver’s license renewal, unemployment benefits, and social services during critical periods affecting vulnerable populations.
• Clue 6 (Minute 40): Forensics reveal worm has been resident in government infrastructure for 24 hours, allowing potential access to citizen data including social security numbers, driver’s license information, and tax records for 500,000 residents.
• Clue 7 (Minute 50): Governor’s office receives media inquiries about government data security and attacks on federal systems. “We need to demonstrate accountability to citizens and explain how their personal information is protected.”
• Clue 8 (Minute 55): Legal counsel advises that citizen data exposure requires breach notification under state and federal law. Tax filing deadline is 72 hours away and 200,000 citizens still haven’t filed.

Response Options:

• Option A: Emergency Full Remediation with Federal Coordination - Deploy comprehensive IIS patching across entire government infrastructure, coordinate with federal agencies on national security response, issue proactive citizen data exposure notification, extend tax filing deadline by 48 hours.
  • Pros: Completely eliminates worm; demonstrates accountability through transparent citizen communication; federal coordination addresses national security concerns; deadline extension protects citizen needs.
  • Cons: Brief downtime during critical tax week; acknowledges government security failure publicly; deadline extension requires legislative/gubernatorial action.
  • Type Effectiveness: Super effective against Worm type – eliminates vulnerability and infection completely.
• Option B: Phased Recovery with Citizen Support - Continue prioritized remediation maintaining critical services, implement enhanced citizen support (extended hours, additional staff), provide detailed incident updates with data exposure assessment.
  • Pros: Balances security with public service continuity; enhanced support helps vulnerable populations; demonstrates government responsiveness.
  • Cons: Extended remediation timeline; some services remain vulnerable; differential access may affect disadvantaged citizens.
  • Type Effectiveness: Moderately effective – progressive improvement but temporary exposure remains.
• Option C: Third-Party Support & Parallel Systems - Engage federal cybersecurity assistance (CISA), implement backup citizen service systems, conduct comprehensive forensic analysis of citizen data exposure while maintaining tax filing capability.
  • Pros: Federal expertise accelerates response; backup systems maintain critical services; thorough citizen data assessment.
  • Cons: Expensive federal support coordination; potential citizen data exposure to external agencies; admission of insufficient state capability.
  • Type Effectiveness: Moderately effective – improves response quality but extends timeline and increases complexity.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Discovery & Identification (30-35 min)

Investigation Clues:

• Clue 1 (Minute 5): Citizen Services Manager Antoine Lefebvre reports hundreds of calls from citizens seeing defacement messages when trying to file taxes online during the final week before April 15th deadline. “Citizens can’t access tax filing, driver’s license renewal, or any of our 40+ government services!”
• Clue 2 (Minute 10): Government IT forensics reveal an IIS buffer overflow being actively exploited across state portal infrastructure. An infection is autonomously spreading through government web servers, defacing citizen service pages with “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!” during peak tax season.
• Clue 3 (Minute 15): State network monitoring shows infected government servers generating massive scanning traffic and participating in coordinated attacks against federal infrastructure including DGFiP systems and Ministère de l’Intérieur networks.
• Clue 4 (Minute 20): IT Security Director Sophie Lambert reveals that IIS patches were delayed to avoid disrupting critical tax season services. “We couldn’t risk downtime during the week before tax filing deadline when millions of citizens need access.”

Response Options:

• Option A: Emergency Service Reboot - Immediately reboot all infected government servers to clear memory-only worm, restore citizen services from backups, delay comprehensive patching until after tax filing deadline.
  • Pros: Fastest path to citizen service restoration; minimal tax season disruption; maintains filing deadline access for citizens.
  • Cons: Doesn’t patch underlying IIS vulnerability; servers will be reinfected within hours; continues attacks on federal infrastructure.
  • Type Effectiveness: Partially effective – clears current infection but leaves reinfection vector open.
• Option B: Prioritized Critical Services Patching - Patch tax filing and driver’s license renewal systems first (highest citizen demand), quarantine remaining infected services, restore in priority order.
  • Pros: Protects most critical citizen services; balances security with public service mission; enables controlled restoration.
  • Cons: Non-essential services remain compromised; differential service availability may affect vulnerable populations; partial federal attack participation continues.
  • Type Effectiveness: Moderately effective – stops propagation in patched systems but worm remains active in others.
• Option C: Full Shutdown & Manual Filing - Isolate entire government portal from internet to stop federal attacks, provide manual/phone tax filing alternatives, defer digital service restoration until post-deadline.
  • Pros: Stops attacks on federal infrastructure immediately; enables systematic patching; demonstrates government cybersecurity responsibility.
  • Cons: Forces 2.5 million citizens to manual filing alternatives; overwhelms phone systems; elderly and disabled citizens face accessibility barriers.
  • Type Effectiveness: Moderately effective – contains threat but shifts burden to citizens and alternative systems.

Round 2: Scope Assessment & Response (30-35 min)

Investigation Clues:

• Clue 5 (Minute 30): If Option A (reboot only) was chosen: Within 2 hours, government portal is reinfected. Federal agencies report state systems are attacking DGFiP and Ministère de l’Intérieur infrastructure. “Ministère de l’Intérieur is demanding explanation for attacks originating from state government networks.”
• Clue 5 (Minute 30): If Option B or C was chosen: Analysis shows tax filing services restored but 100,000 citizens unable to access driver’s license renewal, unemployment benefits, and social services during critical periods affecting vulnerable populations.
• Clue 6 (Minute 40): Forensics reveal worm has been resident in government infrastructure for 24 hours, allowing potential access to citizen data including social security numbers, driver’s license information, and tax records for 500,000 residents.
• Clue 7 (Minute 50): Matignon receives media inquiries about government data security and attacks on federal systems. “We need to demonstrate accountability to citizens and explain how their personal information is protected.”
• Clue 8 (Minute 55): Legal counsel advises that citizen data exposure requires breach notification under state and federal law. Tax filing deadline is 72 hours away and 200,000 citizens still haven’t filed.

Response Options:

• Option A: Emergency Full Remediation with Federal Coordination - Deploy comprehensive IIS patching across entire government infrastructure, coordinate with federal agencies on national security response, issue proactive citizen data exposure notification, extend tax filing deadline by 48 hours.
  • Pros: Completely eliminates worm; demonstrates accountability through transparent citizen communication; federal coordination addresses national security concerns; deadline extension protects citizen needs.
  • Cons: Brief downtime during critical tax week; acknowledges government security failure publicly; deadline extension requires legislative/gubernatorial action.
  • Type Effectiveness: Super effective against Worm type – eliminates vulnerability and infection completely.
• Option B: Phased Recovery with Citizen Support - Continue prioritized remediation maintaining critical services, implement enhanced citizen support (extended hours, additional staff), provide detailed incident updates with data exposure assessment.
  • Pros: Balances security with public service continuity; enhanced support helps vulnerable populations; demonstrates government responsiveness.
  • Cons: Extended remediation timeline; some services remain vulnerable; differential access may affect disadvantaged citizens.
  • Type Effectiveness: Moderately effective – progressive improvement but temporary exposure remains.
• Option C: Third-Party Support & Parallel Systems - Engage federal cybersecurity assistance (ANSSI), implement backup citizen service systems, conduct comprehensive forensic analysis of citizen data exposure while maintaining tax filing capability.
  • Pros: Federal expertise accelerates response; backup systems maintain critical services; thorough citizen data assessment.
  • Cons: Expensive federal support coordination; potential citizen data exposure to external agencies; admission of insufficient state capability.
  • Type Effectiveness: Moderately effective – improves response quality but extends timeline and increases complexity.

Round Transition Narrative

After Round 1 → Round 2:

The team’s initial response determines whether government services quickly return to vulnerable operation (reboot approach) or maintain containment with significant citizen service impact (isolation/selective approaches). Either way, the situation escalates as federal agencies demand explanation for attacks, forensics reveals extensive citizen data exposure, media questions government cybersecurity practices, and the tax filing deadline approaches with hundreds of thousands of citizens still needing access. The team must balance complete security remediation with citizen service mission, federal coordination, data protection, and democratic accountability.

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands the scenario from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than receiving timed clues. Round 3 shifts from immediate crisis response to long-term strategic recovery. Rounds run 30-35 minutes each with more open-ended decision-making. Use the Resolution Pathways section to guide your assessment of team progress.

Round 1: Initial Government Infrastructure Worm Outbreak (30 min)

Tax filing deadline in 48 hours – the government agency manages citizen portals serving millions of residents for tax filing, license renewals, and benefit applications. Information Security Officer Maria Gonzalez detects government IIS servers scanning the internet aggressively while Public Services Manager David Park reports that citizen portals are displaying defacement messages instead of government services.

Open investigation guidance: All four Key Discovery Paths are available. Teams typically uncover the unpatched IIS buffer overflow (delayed during tax season to avoid service disruption), the worm’s autonomous propagation across 40+ government service websites, and the critical discovery that compromised government servers are now participating in coordinated attacks against other government and critical infrastructure targets.

If the team stalls: “Maria Gonzalez receives urgent communication from FBI Cyber Division Agent Lisa Montgomery: ‘Your government infrastructure is participating in coordinated internet attacks against federal targets. We need to understand your remediation timeline immediately.’”

Facilitation questions:

• “Government servers attacking other government infrastructure creates national security implications – how does that change your response urgency versus a typical website defacement?”
• “2.5 million citizens have a tax filing deadline in 48 hours – how do you balance citizen service continuity with security remediation?”
• “The IIS patches were delayed to avoid disrupting tax season – the same reasoning that created the vulnerability. How do you break this cycle?”

Round 1→2 Transition

The investigation reveals worm propagation across all 40+ government service websites. Director Robert Kline faces a national security crisis: government infrastructure is being used to attack other government and critical infrastructure targets, while millions of citizens are losing access to essential services during tax deadline. FBI Cyber Division Agent Lisa Montgomery formally requests cooperation and remediation timeline documentation.

Round 2: National Security & Citizen Service Crisis (35 min)

If teams chose immediate government infrastructure isolation: All citizen services offline 48 hours before tax deadline. 2.5 million residents unable to file taxes, renew licenses, or access benefits. Media coverage: “State Government Shuts Down Services During Tax Season.” Political pressure from Governor’s office intensifying.

If teams chose phased remediation: Worm continues spreading through unpatched servers. Government infrastructure still participating in attacks against federal targets. FBI Cyber Division escalating pressure for complete remediation. Some citizen services restored but reinfection cycle continues, and national security implications grow every hour.

New developments beyond Round 1: FBI Cyber Division investigation reveals government servers are participating in coordinated DDoS preparations targeting federal government websites – the worm contains hardcoded attack triggers. Citizen data on government servers (tax records, personal identification, benefit applications) was potentially accessible during worm dwell time. State legislature members demanding public accountability for government cybersecurity failures.

Facilitation questions:

• “Your government infrastructure is being weaponized against federal targets – what’s your obligation as a government agency beyond just fixing your own systems?”
• “Citizen tax records, personal identification, and benefit applications were potentially exposed – how do you handle government data breach notification for 2.5 million people?”
• “FBI Cyber Division wants extended access to your systems for investigation while you need those systems for citizen services – how do you balance federal cooperation with service restoration?”

Round 2→3 Transition

The immediate worm propagation is contained – servers are patched and citizen services are being restored. But government infrastructure participated in attacks against federal targets, citizen data was potentially exposed, and public trust in government technology is shaken. Focus shifts from hours to weeks: citizen data protection, federal investigation cooperation, and government cybersecurity modernization.

Round 3: Long-Term Government Cybersecurity & Public Trust (35 min)

Four weeks post-incident. Citizen services are restored but the political and security aftermath continues. FBI Cyber Division investigation is active, State legislature has convened oversight hearings, and citizens are questioning whether their personal data is safe with government agencies. The government agency faces a defining question: how do you restore public trust when government infrastructure was both victim and weapon?

Investigation focus areas:

• Government cybersecurity architecture – Maria Gonzalez proposes: automated patch management across all government systems, network segmentation between citizen-facing services and internal infrastructure, continuous monitoring with federal threat intelligence integration. 12-week implementation, requires legislative budget approval
• Citizen data protection assessment – Robert Kline coordinates with state privacy office: what citizen data was potentially accessible, notification obligations for millions of residents, identity protection services
• Federal investigation cooperation – FBI Cyber Division Agent Lisa Montgomery requires ongoing system access, documentation, and testimony about the patch delay decision and government infrastructure’s role in attacks
• Political accountability – State legislature oversight committee demanding explanation of how government infrastructure was used to attack federal targets, and why security patches were delayed during critical service periods

Pressure events:

• State legislature oversight hearing scheduled – Robert Kline must testify about the patch delay decision and government participation in attacks
• Citizen advocacy group files public records request for all communications about the patch delay decision
• Federal government considers restricting state’s access to certain intergovernmental systems pending security review
• Governor’s office requests Robert Kline’s resignation plan “as an option” for political accountability

Facilitation questions:

• “Government agencies have unique accountability obligations – how is breach response different when your ‘customers’ are citizens who can’t choose another provider?”
• “The patch delay was a rational decision to protect tax season services – but it enabled government infrastructure to attack federal targets. How should institutional accountability work?”
• “How do you modernize government cybersecurity within the constraints of budget cycles, procurement rules, and political oversight?”

Victory Conditions

• Worm eliminated across all government infrastructure with comprehensive verification
• Citizen services restored and data exposure assessment completed
• Federal investigation cooperation established while maintaining service operations
• Government cybersecurity modernization plan developed with legislative support

Debrief Focus (Full Game)

• How government infrastructure compromises create national security implications beyond typical organizational breaches
• The unique tension between citizen service continuity obligations and security remediation in government agencies
• Why governments face accountability dynamics (legislative oversight, public records, political pressure) that private sector organizations don’t
• How government patch delay decisions during critical service periods mirror private sector revenue-driven security compromises
• Long-term trust recovery when government agencies – which citizens can’t choose to leave – fail at data protection

Round 1: Initial Government Infrastructure Worm Outbreak (30 min)

Tax filing deadline in 48 hours – the government agency manages citizen portals serving millions of residents for tax filing, license renewals, and benefit applications. Information Security Officer Sophie Lambert detects government IIS servers scanning the internet aggressively while Public Services Manager Antoine Lefebvre reports that citizen portals are displaying defacement messages instead of government services.

Open investigation guidance: All four Key Discovery Paths are available. Teams typically uncover the unpatched IIS buffer overflow (delayed during tax season to avoid service disruption), the worm’s autonomous propagation across 40+ government service websites, and the critical discovery that compromised government servers are now participating in coordinated attacks against other government and critical infrastructure targets.

If the team stalls: “Sophie Lambert receives urgent communication from DGSI Agent Nathalie Dupont: ‘Your government infrastructure is participating in coordinated internet attacks against federal targets. We need to understand your remediation timeline immediately.’”

Facilitation questions:

• “Government servers attacking other government infrastructure creates national security implications – how does that change your response urgency versus a typical website defacement?”
• “2.5 million citizens have a tax filing deadline in 48 hours – how do you balance citizen service continuity with security remediation?”
• “The IIS patches were delayed to avoid disrupting tax season – the same reasoning that created the vulnerability. How do you break this cycle?”

Round 1→2 Transition

The investigation reveals worm propagation across all 40+ government service websites. Director Jean-Pierre Moreau faces a national security crisis: government infrastructure is being used to attack other government and critical infrastructure targets, while millions of citizens are losing access to essential services during tax deadline. DGSI Agent Nathalie Dupont formally requests cooperation and remediation timeline documentation.

Round 2: National Security & Citizen Service Crisis (35 min)

If teams chose immediate government infrastructure isolation: All citizen services offline 48 hours before tax deadline. 2.5 million residents unable to file taxes, renew licenses, or access benefits. Media coverage: “State Government Shuts Down Services During Tax Season.” Political pressure from Matignon intensifying.

If teams chose phased remediation: Worm continues spreading through unpatched servers. Government infrastructure still participating in attacks against federal targets. DGSI escalating pressure for complete remediation. Some citizen services restored but reinfection cycle continues, and national security implications grow every hour.

New developments beyond Round 1: DGSI investigation reveals government servers are participating in coordinated DDoS preparations targeting federal government websites – the worm contains hardcoded attack triggers. Citizen data on government servers (tax records, personal identification, benefit applications) was potentially accessible during worm dwell time. Assemblée nationale members demanding public accountability for government cybersecurity failures.

Facilitation questions:

• “Your government infrastructure is being weaponized against federal targets – what’s your obligation as a government agency beyond just fixing your own systems?”
• “Citizen tax records, personal identification, and benefit applications were potentially exposed – how do you handle government data breach notification for 2.5 million people?”
• “DGSI wants extended access to your systems for investigation while you need those systems for citizen services – how do you balance federal cooperation with service restoration?”

Round 2→3 Transition

The immediate worm propagation is contained – servers are patched and citizen services are being restored. But government infrastructure participated in attacks against federal targets, citizen data was potentially exposed, and public trust in government technology is shaken. Focus shifts from hours to weeks: citizen data protection, federal investigation cooperation, and government cybersecurity modernization.

Round 3: Long-Term Government Cybersecurity & Public Trust (35 min)

Four weeks post-incident. Citizen services are restored but the political and security aftermath continues. DGSI investigation is active, Assemblée nationale has convened oversight hearings, and citizens are questioning whether their personal data is safe with government agencies. The government agency faces a defining question: how do you restore public trust when government infrastructure was both victim and weapon?

Investigation focus areas:

• Government cybersecurity architecture – Sophie Lambert proposes: automated patch management across all government systems, network segmentation between citizen-facing services and internal infrastructure, continuous monitoring with federal threat intelligence integration. 12-week implementation, requires legislative budget approval
• Citizen data protection assessment – Jean-Pierre Moreau coordinates with CNIL: what citizen data was potentially accessible, notification obligations for millions of residents, identity protection services
• Federal investigation cooperation – DGSI Agent Nathalie Dupont requires ongoing system access, documentation, and testimony about the patch delay decision and government infrastructure’s role in attacks
• Political accountability – Assemblée nationale oversight committee demanding explanation of how government infrastructure was used to attack federal targets, and why security patches were delayed during critical service periods

Pressure events:

• Assemblée nationale oversight hearing scheduled – Jean-Pierre Moreau must testify about the patch delay decision and government participation in attacks
• Citizen advocacy group files public records request for all communications about the patch delay decision
• Federal government considers restricting state’s access to certain intergovernmental systems pending security review
• Matignon requests Jean-Pierre Moreau’s resignation plan “as an option” for political accountability

Facilitation questions:

• “Government agencies have unique accountability obligations – how is breach response different when your ‘customers’ are citizens who can’t choose another provider?”
• “The patch delay was a rational decision to protect tax season services – but it enabled government infrastructure to attack federal targets. How should institutional accountability work?”
• “How do you modernize government cybersecurity within the constraints of budget cycles, procurement rules, and political oversight?”

Victory Conditions

• Worm eliminated across all government infrastructure with comprehensive verification
• Citizen services restored and data exposure assessment completed
• Federal investigation cooperation established while maintaining service operations
• Government cybersecurity modernization plan developed with legislative support

Debrief Focus (Full Game)

• How government infrastructure compromises create national security implications beyond typical organizational breaches
• The unique tension between citizen service continuity obligations and security remediation in government agencies
• Why governments face accountability dynamics (legislative oversight, public records, political pressure) that private sector organizations don’t
• How government patch delay decisions during critical service periods mirror private sector revenue-driven security compromises
• Long-term trust recovery when government agencies – which citizens can’t choose to leave – fail at data protection

Advanced Challenge Materials (150-170 min, 3+ rounds)

Red Herrings & Misdirection

• Legitimate government scanning activity – cybersecurity team’s own vulnerability assessment generates network traffic patterns similar to worm scanning, creating false positive confusion
• Tax season traffic surge – record tax filing volume creates server performance issues unrelated to worm infection, complicating symptom differentiation
• Previous government website redesign – several department websites were scheduled for redesign this month; initial defacement reports confused with planned maintenance windows
• Foreign government attribution speculation – media and political figures speculate about foreign government cyber attack, misdirecting from the automated worm’s non-targeted nature

Removed Resources & Constraints

• FBI Cyber Division system access conflict – federal investigation requires preserving systems as evidence while service restoration requires rebuilding them; competing federal priorities
• Government procurement delays – emergency security tool acquisition requires procurement approval process taking 3-5 business days minimum
• Cross-agency coordination barriers – different government departments use separate IT systems managed by different teams with no unified incident command structure
• Political communication restrictions – governor’s communications office controls all public statements about the incident, creating delays in citizen notification

Enhanced Pressure

• Federal system access restriction – federal government threatens to restrict state’s access to shared intergovernmental databases (law enforcement, tax, benefits) pending security remediation
• Election year scrutiny – opposition party uses the incident in campaign messaging; every response decision is evaluated through political lens
• Cascading agency impact – other government agencies sharing network infrastructure begin experiencing disruptions as worm spreads beyond the initial agency
• Citizen identity theft reports – within days of the breach, citizens begin reporting suspicious activity on their tax accounts, creating urgency around data exposure assessment

Ethical Dilemmas

• Tax deadline extension – extending the tax filing deadline provides citizen relief but publicly acknowledges the severity of the breach; maintaining the deadline forces citizens to use potentially compromised systems or file paper returns
• Political accountability versus institutional stability – Robert Kline’s resignation would satisfy political demands but removes the person with the most institutional knowledge during ongoing remediation; what serves citizens better?
• Federal cooperation versus citizen services – FBI Cyber Division wants extended system access for investigation while citizens need those exact systems for essential services; whose needs take priority?
• Selective transparency – full public disclosure about government infrastructure attacking federal targets may erode public trust in all government technology; limited disclosure may violate public accountability obligations

Removed Resources & Constraints

• DGSI system access conflict – federal investigation requires preserving systems as evidence while service restoration requires rebuilding them; competing federal priorities
• Government procurement delays – emergency security tool acquisition requires procurement approval process taking 3-5 business days minimum
• Cross-agency coordination barriers – different government departments use separate IT systems managed by different teams with no unified incident command structure
• Political communication restrictions – governor’s communications office controls all public statements about the incident, creating delays in citizen notification

Enhanced Pressure

• Federal system access restriction – federal government threatens to restrict state’s access to shared intergovernmental databases (law enforcement, tax, benefits) pending security remediation
• Election year scrutiny – opposition party uses the incident in campaign messaging; every response decision is evaluated through political lens
• Cascading agency impact – other government agencies sharing network infrastructure begin experiencing disruptions as worm spreads beyond the initial agency
• Citizen identity theft reports – within days of the breach, citizens begin reporting suspicious activity on their tax accounts, creating urgency around data exposure assessment

Ethical Dilemmas

• Tax deadline extension – extending the tax filing deadline provides citizen relief but publicly acknowledges the severity of the breach; maintaining the deadline forces citizens to use potentially compromised systems or file paper returns
• Political accountability versus institutional stability – Jean-Pierre Moreau’s resignation would satisfy political demands but removes the person with the most institutional knowledge during ongoing remediation; what serves citizens better?
• Federal cooperation versus citizen services – DGSI wants extended system access for investigation while citizens need those exact systems for essential services; whose needs take priority?
• Selective transparency – full public disclosure about government infrastructure attacking federal targets may erode public trust in all government technology; limited disclosure may violate public accountability obligations

Advanced Debrief Topics

• How government agencies face unique accountability dynamics (legislative oversight, public records, political pressure) that fundamentally change breach response
• The ethics of political accountability for institutional security decisions when resignation removes critical knowledge during active remediation
• Why government infrastructure compromises create cascading national security implications that private sector breaches typically don’t
• How government procurement and budget cycles create systematic obstacles to rapid cybersecurity improvement
• Balancing citizen service obligations (governments are monopoly providers) against security remediation needs when citizens can’t choose alternatives