Department of Public Services: Government Infrastructure Under Attack During Tax Season
Detailed Context
Organization Profile
Type: State Department of Public Services delivering citizen-facing government services through web portals including tax filing, business licensing, vehicle registration, benefit applications, emergency services access, and public information systems.
Size: 350 state employees including 180 IT infrastructure staff managing 40+ government web portals and backend systems, 120 customer service representatives handling citizen inquiries and technical support during tax season peak, 35 security and compliance personnel ensuring FISMA compliance and data protection, 15 executive and policy staff.
Operations: Primary government service delivery mechanism for 2.5 million state residents, processing $4.2 billion in annual tax revenue through online portal, managing 280,000 business licenses and registrations, delivering emergency services coordination and public safety information, operating unemployment benefits system serving 65,000 active claimants, maintaining 24/7 citizen access to government services.
Critical Services: State tax filing portal (legal deadline-driven, no extension authority at state level), emergency services coordination system, unemployment benefit disbursement platform, business licensing for economic continuity, vehicle registration and driver’s licensing for public safety.
Technology Infrastructure: Legacy IIS-based web server architecture inherited from late 1990s modernization initiative, shared hosting infrastructure consolidating multiple government services on common servers “for cost efficiency and resource optimization,” minimal network segmentation between citizen services and internal government communications, backup systems delayed 3 years due to budget constraints.
Current Peak Period: Tax season operations at maximum capacity—customer service receiving 4,500 daily inquiries, web portal traffic at 340% of baseline levels, temporary seasonal staff handling surge demand, IT maintenance postponed until “after tax deadline” per annual operational policy.
Key Assets & Impact
Tax Filing Infrastructure & Citizen Service Delivery: State tax portal processing 180,000 last-minute filings in final 48 hours before deadline, $890 million in tax payments at risk of missing legal deadline—Code Red worm degrading server performance threatening citizen access where state has no authority to extend deadline (federal tax deadline drives state deadline), service disruption creates citizen financial penalties for late filing, political crisis as taxpayers blame government for infrastructure failure during legally mandated deadline, voter confidence in government technology capabilities eroded.
Government Operations Continuity: Emergency services coordination system, unemployment benefit disbursement platform serving 65,000 claimants expecting weekly payments, business licensing system where delays halt new business formations and renewals creating economic disruption, vehicle registration affecting 45,000 pending transactions—worm infection threatening operational continuity across essential government functions where private sector alternatives don’t exist, citizens depend on government as sole provider of mandatory legal services.
National Security & Federal Coordination: State government infrastructure participating in coordinated attacks against federal systems and critical infrastructure—Department of Homeland Security detecting attack traffic originating from state networks, FBI investigating potential compromise of government communications, classified law enforcement coordination systems potentially accessible through compromised infrastructure, state becoming national security liability during infrastructure worm outbreak, federal-state relationships strained by state’s role as unwitting attack platform.
Immediate Business Pressure
Monday Morning, 9:15 AM - Tax Deadline T-Minus 48 Hours:
State CIO Maria Chen received urgent alert from network monitoring team: Code Red worm detected on 32 of 40 IIS web servers hosting tax portal, emergency services system, and unemployment benefits platform. Weekend infection had progressed undetected, compromised servers now actively scanning internet addresses and participating in coordinated DDoS attacks against federal government websites.
DHS cybersecurity liaison called at 9:30 AM demanding immediate containment—state servers were attacking federal infrastructure. State Attorney General called at 9:45 AM warning that service disruption 48 hours before tax deadline would create political crisis affecting 2.5 million taxpayers. Tax Director confirmed no authority exists to extend state deadline (tied to federal deadline by statute).
Critical Timeline: - Current moment (Monday 9:15 AM): Worm discovered during peak tax season operations, 48 hours until legal filing deadline - Stakes: 180,000 citizens attempting last-minute tax filing, $890M in tax revenue processing, federal pressure to stop attack participation - Dependencies: No deadline extension authority, federal coordination required for national security response, citizen access legally mandated
Cultural & Organizational Factors
Tax season operational continuity above security maintenance: Department culture prioritizes “citizen service first”—when IT proposed taking tax portal offline for IIS security patches in early March, Tax Director refused citing upcoming filing deadline and citizen access requirements. Management decision: maintain tax filing availability (legal obligation to citizens) over applying patches (theoretical future threat). Decision made organizational sense—taxpayers expect 24/7 portal access, service disruptions generate constituent complaints to elected officials, IT maintenance scheduled for “after tax deadline” per annual precedent. Servers remained unpatched for 4 months. Code Red exploited this exact window.
Budget constraints prevented infrastructure redundancy: State budget cuts reduced IT infrastructure funding by 18% over 3 years—backup server procurement delayed indefinitely, redundant systems eliminated as “cost optimization,” server consolidation implemented to “maximize resource efficiency.” Finance leadership rejected infrastructure investment proposals as “duplicative spending without direct citizen benefit.” Decision reflected budget reality—elected officials prioritize visible services over invisible infrastructure, capital expenditures require legislative approval (politically difficult), operational budget consumed by personnel costs. No redundant infrastructure meant patching requires service disruption. Single points of failure created vulnerability.
Shared hosting architecture for cost efficiency: Legacy infrastructure consolidation placed tax portal, emergency services, unemployment benefits, and internal government communications on shared IIS servers—security team proposed network segmentation requiring additional hardware, rejected by management as “unnecessary complexity and expense.” Decision made budget sense—segregated systems require duplicate infrastructure (higher costs), shared hosting maximized server utilization (efficiency metrics), procurement timelines for new equipment measured in years (bureaucratic reality). Result: one compromised server affected multiple government services. Lateral movement exploited shared infrastructure design.
Government procurement timelines complicate emergency response: Emergency patch deployment requires change control board approval, vendor coordination for warranty compliance, testing protocols for production systems, legislative notification for service disruptions affecting citizen services—security team recommended immediate patching, legal counsel warned of procedural requirements. Decision reflected government accountability—expenditure authority limited by appropriations, system changes require documented approval processes, citizen-facing service modifications need stakeholder notification. Bureaucratic safeguards designed for responsible governance became obstacles during security emergency.
Operational Context
State government operates under permanent resource constraints—budget cuts mean choosing between hiring customer service staff or infrastructure investment, political pressure prioritizes visible citizen services over invisible security measures, procurement bureaucracy means emergency solutions take months. Department culture: “keep services running no matter what” because taxpayers expect 24/7 access and elected officials measure performance by constituent satisfaction, not security posture.
Infrastructure architecture reflects decades of “cost optimization”—servers consolidated onto shared IIS hosting to “maximize efficiency,” network segmentation rejected as “duplicative expense,” backup systems postponed during budget cuts, maintenance deferred until “after peak season” (peak season never really ends). Security proposals consistently approved “in principle” but unfunded in practice—authorization without appropriation becomes pattern of “yes to security, no to budget.”
Tax season operational mode: all hands on deck for citizen service, IT changes frozen to “maintain stability,” overtime budget exhausted by customer service surge, temporary staff handling phones while permanent staff manage infrastructure crisis. Annual cycle: patch deferral during tax season (February-April), budget planning (May-July), procurement delays (August-October), holiday freeze (November-January). Security maintenance perpetually postponed for “next quarter.”
Code Red exploited this exact operational reality—unpatched IIS servers during tax season freeze, shared hosting enabling lateral movement, no redundant infrastructure forcing choice between service continuity and security response. Worm turned government’s own infrastructure into attack platform during legally mandated public service deadline.
Key Stakeholders
- Maria Chen (State CIO) - Managing technical response while balancing federal demands for immediate containment with state obligations to maintain citizen services during tax deadline
- Robert Williams (Secretary of Public Services) - Facing political pressure from Governor’s office to prevent tax deadline disaster while responding to DHS demands for attack mitigation
- Janet Morrison (State Tax Director) - Protecting 2.5 million taxpayers’ ability to meet legal filing deadline with no authority to extend deadline or offer alternative filing methods at this scale
- David Foster (State CISO) - Coordinating with federal agencies while managing infrastructure response, explaining to DHS why immediate shutdown isn’t viable during citizen service deadline
- Michael Park (State Attorney General’s Office, Cyber Unit) - Assessing legal liability for government infrastructure participating in attacks, managing federal investigation cooperation while protecting state interests
Why This Matters
You’re not just responding to internet worm outbreak—you’re managing a public service crisis during legally mandated deadline where government infrastructure failure affects citizens’ legal obligations and financial penalties while simultaneously participating in attacks against federal systems creating national security implications. Your incident response decisions directly determine whether 2.5 million citizens can meet tax filing requirements, whether government delivers essential services citizens depend on, and whether state manages federal coordination during infrastructure compromise.
There’s no solution satisfying all obligations: patch servers immediately (48-hour outage during tax deadline creating political crisis and citizen financial harm), maintain services until after deadline (continued attack participation threatening federal relationships and national security), attempt runtime mitigation (uncertain effectiveness risking both service stability AND continued attack activity). This scenario demonstrates how government cybersecurity incidents create unique pressures where public service legal obligations, citizen expectations, political accountability, budget constraints, and national security coordination intersect with technical incident response—decisions affect vulnerable populations depending on government services where no private sector alternatives exist.
IM Facilitation Notes
Emphasize public service obligations create different pressures than private sector: Government can’t “pause operations” or “migrate to competitors”—citizens have no alternative for mandatory legal services like tax filing. Help players understand why “just shut it down” isn’t viable when 2.5 million people face legal penalties for government infrastructure failure.
Government budget constraints are structural, not negligence: State budget cuts reflect political priorities and taxpayer demands for efficiency—infrastructure investment competes with teachers, healthcare, public safety. Don’t let players dismiss this as “bad management.” Finance reality: IT security doesn’t win budget battles against schools and hospitals.
Tax deadline is legally mandated, not arbitrary business pressure: State has no authority to extend deadline (tied to federal statute)—this isn’t “company preference” or “self-imposed deadline.” Missing deadline creates actual legal consequences for citizens including financial penalties and interest charges. Government serves as single provider of legally required service.
National security implications escalate beyond typical incident response: When government infrastructure participates in attacks against federal systems, incident becomes federal matter—DHS, FBI, potentially classified law enforcement systems affected. Help players navigate federal-state coordination complexities, security clearance requirements, and multi-agency response during infrastructure compromise.
Procurement and bureaucratic safeguards serve accountability but complicate response: Emergency patch deployment triggers change control, vendor warranty concerns, legislative notification requirements—these aren’t arbitrary red tape, they’re accountability mechanisms for responsible use of taxpayer resources. Government operates under transparency and authorization constraints private sector doesn’t face.
Political accountability affects incident response decisions: Elected officials answer to voters, citizens measure government performance by service availability, media coverage shapes public perception—technical teams operate within political reality where constituent complaints create pressure on decision-makers. Help players understand how democratic accountability influences cybersecurity choices.
Emphasize Code Red’s internet-scale nature: This isn’t targeted attack on state government—it’s internet-wide infrastructure threat that happened to include state servers. Help players understand coordinated response with federal agencies, ISPs, and security community for infrastructure-level threats versus organization-specific incident response.