Raspberry Robin Scenario: State Department of Revenue Breach
Planning Resources
Scenario Details for IMs
State Department of Revenue: Government Agency During Tax Season Peak Operations
Quick Reference
- Organization: Government agency processing tax returns and citizen services, 600 employees handling taxpayer data
- Key Assets at Risk: Taxpayer data security (millions of citizens affected), Government service continuity, Regulatory compliance, Public trust in government data protection
- Business Pressure: Tax season peak operations—any data breach affects millions of taxpayers, government security breach threatens public trust in state agency capability
- Core Dilemma: Continue USB-based tax document collection maintaining government services BUT allows malware propagation through taxpayer data systems, OR Halt USB workflows for containment BUT disrupts tax processing and citizen services during peak season
Detailed Context
Organization Profile
Government agency processing tax returns and citizen services, 600 employees
Key Assets At Risk: - Taxpayer data security - Government service continuity - Regulatory compliance - Public trust
Business Pressure
- Tax season peak operations - any data breach affects millions of taxpayers
- Government security breach threatens public trust
Cultural Factors
- Government auditors routinely use USB drives to collect taxpayer documents and transfer data between field locations and secure office systems
- USB-based malware is spreading through legitimate government workflows, bypassing network security and air-gapped protections
- Infected systems include both taxpayer data processing and government service delivery networks
Opening Presentation
“It’s Wednesday morning at the State Department of Revenue during peak tax season, and government employees are processing thousands of tax returns while field auditors collect taxpayer documents using USB drives for secure transfer. But auditors begin reporting disturbing behavior: USB drives are automatically creating files that appear to be normal folders, but accessing them causes system anomalies. The USB-based malware is spreading through legitimate government workflows, affecting both taxpayer data systems and citizen service networks.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Taxpayer data processing systems shut down due to USB malware affecting peak tax season operations
- Hour 2: Field audit operations suspended as infected USB drives threaten taxpayer information security
- Hour 3: Government security assessment reveals potential exposure of sensitive citizen data to USB-based malware
- Hour 4: State cybersecurity authorities demand immediate containment and taxpayer notification assessment
Evolution Triggers:
- If USB disinfection fails, malware continues spreading through all government data collection procedures
- If taxpayer data exposure is confirmed, regulatory notification and public trust crisis ensue
- If government service disruption continues, citizen services and tax season operations are compromised
Resolution Pathways:
Technical Success Indicators:
- Complete USB-based malware removal from government systems with verified clean data collection procedures
- Government network security restored preventing further USB-based propagation across citizen service systems
- Taxpayer data integrity verified ensuring citizen information protection and regulatory compliance
Business Success Indicators:
- Government operations restored maintaining tax season processing and citizen service delivery
- Public trust protected through transparent communication and professional incident management
- Regulatory compliance maintained preventing government cybersecurity penalties and citizen notification requirements
Learning Success Indicators:
- Team understands USB-based propagation in government environments with citizen data protection requirements
- Participants recognize removable media security challenges in government workflows and regulatory compliance
- Group demonstrates coordination between cybersecurity response and government service continuity obligations
Common IM Facilitation Challenges:
If Government Workflow Complexity Is Ignored:
“Your network security strategy is sound, but Linda explains that field auditors must use USB drives to collect taxpayer documents from citizen locations. How does legitimate government workflow requirement change your USB security approach?”
If Taxpayer Data Impact Is Minimized:
“While you’re removing USB malware, Kevin discovered that infected systems process millions of taxpayer tax returns and personal financial information. How do you assess potential citizen data exposure and notification requirements?”
If Public Trust Implications Are Overlooked:
“Director Chen just learned that news media is asking about government cybersecurity breach during tax season. How do you balance technical response with public trust and transparent government communication obligations?”
Success Metrics for Session:
Template Compatibility
This scenario adapts to multiple session formats with appropriate scope and timing:
Quick Demo (35-40 minutes)
Structure: 3 investigation rounds, 1 decision round Focus: Core USB worm discovery and immediate government network containment Simplified Elements: Streamlined regulatory compliance and taxpayer notification complexity Key Actions: Identify USB malware propagation, implement emergency device controls, coordinate field audit suspension
Lunch & Learn (75-90 minutes)
Structure: 5 investigation rounds, 2 decision rounds Focus: Comprehensive USB workflow investigation and taxpayer data protection Added Depth: Government cybersecurity requirements and citizen service continuity Key Actions: Complete forensic analysis of USB worm spread, coordinate regulatory assessment, restore government operations with verification
Full Game (120-140 minutes)
Structure: 7 investigation rounds, 3 decision rounds Focus: Complete government USB outbreak response with state cybersecurity coordination Full Complexity: Taxpayer data breach assessment, public trust management, long-term government USB security policy Key Actions: Comprehensive USB malware containment across government networks, coordinate state cybersecurity response, implement enhanced workflow security while maintaining tax season operations
Advanced Challenge (150-170 minutes)
Structure: 8-9 investigation rounds, 4 decision rounds Expert Elements: Government regulatory technical depth, taxpayer notification strategy, public communication complexity Additional Challenges: Mid-scenario tax season deadline pressure, media scrutiny, citizen data forensics coordination Key Actions: Complete investigation under government operational constraints, coordinate multi-agency response, implement comprehensive USB security architecture while maintaining public trust
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Progressive hints to maintain engagement and learning momentum:
Pre-Defined Response Options
Three balanced response approaches with trade-offs:
Option A: Emergency Government Lockdown & Complete USB Elimination
- Action: Immediately disable all USB ports across all government systems, halt field audit operations until alternative secure data collection methods can be implemented, implement complete malware removal and system rebuild, coordinate extended taxpayer notification timeline with state cybersecurity authorities.
- Pros: Ensures absolute certainty of malware elimination and prevents any reinfection, provides thorough investigation of taxpayer data exposure, demonstrates unwavering commitment to citizen data protection, eliminates USB propagation vector completely.
- Cons: Suspends field audit operations for 4-6 weeks affecting thousands of business compliance requirements, delays tax season completion creating citizen service disruption, requires development and deployment of alternative secure data collection systems, creates significant public criticism of government service failures.
- Type Effectiveness: Super effective against Worm malmon type; complete USB lockdown prevents propagation and ensures government network security with zero reinfection risk.
Option B: Accelerated Parallel Response & Conditional USB Restoration
- Action: Conduct intensive 5-day malware removal across all government systems using state cybersecurity resources, implement enhanced USB device scanning and strict control policies, coordinate real-time taxpayer data assessment for expedited notification authorization while maintaining critical audit operations with verified clean drives.
- Pros: Balances government operations with security response requirements, provides compressed but thorough USB malware containment, demonstrates agile government incident management, maintains tax season operations while addressing outbreak.
- Cons: Requires extraordinary coordination across government agencies and sustained 24/7 operations, compressed timeline increases risk of incomplete malware removal in some systems, maintains some operational uncertainty during USB restoration phase, intensive resource stress on government IT staff.
- Type Effectiveness: Moderately effective against Worm malmon type; addresses immediate government security concerns while restoring operations, but compressed timeline may not fully eliminate persistent USB infections or prevent isolated reinfection events.
Option C: Selective System Isolation & Phased Security Recovery
- Action: Isolate confirmed infected government systems from taxpayer data processing, implement immediate USB scanning and verification protocols for clean systems, maintain critical tax season operations using verified clean drives while conducting thorough malware investigation at affected locations, coordinate phased security restoration aligned with audit operational priorities.
- Pros: Maintains tax season operations and citizen service continuity, allows audit compliance with verified clean USB procedures, provides time for comprehensive USB malware investigation and taxpayer data assessment, demonstrates sophisticated risk management balancing security with government service obligations.
- Cons: Operates with partially contained outbreak requiring sustained vigilance, requires intensive USB verification and manual monitoring increasing operational complexity, extended containment window across government networks, depends on effectiveness of system isolation and USB verification procedures against worm reintroduction through field audit operations.
- Type Effectiveness: Partially effective against Worm malmon type; addresses immediate government operational requirements through isolation and verification, but extended containment creates ongoing reinfection risk if USB procedures aren’t perfectly controlled across distributed field audit operations.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Discovery & Field Operations Assessment (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Field Audit Supervisor Diana Martinez calls from a business audit site. “The USB drives we use for collecting taxpayer records during field audits are creating strange files - folders called ‘Tax_Documents’ and ‘Audit_Files’ that look legitimate but don’t open. Every auditor’s laptop is showing this behavior.”
- Clue 2 (Minute 10): USB forensics reveal Raspberry Robin worm using LNK file disguises to propagate through government audit workflows. The malware spreads automatically when field auditors insert USB drives to collect business tax records - exactly how tax season field operations work every single day.
- Clue 3 (Minute 15): IT Director Carlos Chen reports alarming propagation: “Field auditors share USB drives between office and business audit sites. A drive infected at one location on Monday visits 5 different businesses by Friday, spreading to each auditor’s laptop and collecting taxpayer data along the way. This is exponential growth through field operations.”
- Clue 4 (Minute 20): Compliance Officer Robert Park discovers infected USB drives have accessed taxpayer databases containing sensitive financial information. “These USB drives collect business tax returns, financial statements, and personal taxpayer data. The malware has touched systems with SSNs, income information, and business financial records.”
Response Options:
- Option A: Immediate Government-Wide USB Shutdown - Disable all USB ports across all Department of Revenue systems immediately, halt all field audit operations, implement emergency manual procedures for critical tax processing.
- Pros: Completely stops worm propagation across government networks; prevents further taxpayer data exposure; demonstrates decisive protection of citizen information.
- Cons: Suspends field audit operations during peak tax season; delays thousands of business compliance audits; field auditors unable to collect taxpayer records; public criticism of government service disruption.
- Type Effectiveness: Super effective - immediately halts USB worm propagation but creates significant public service impact.
- Option B: Enhanced USB Monitoring with Field Coordination - Implement USB scanning software across government systems, prioritize infected system remediation, coordinate enhanced monitoring while allowing continued field operations with strict USB protocols.
- Pros: Balances security with critical government operations; maintains tax season audit capability; enables tracking of field operation propagation patterns.
- Cons: Worm continues spreading during monitoring deployment; coordinating field auditors in diverse locations increases complexity; doesn’t guarantee protection if scanning misses variants.
- Type Effectiveness: Moderately effective - reduces but doesn’t eliminate propagation; requires perfect coordination across distributed government workforce.
- Option C: Infected System Isolation - Quarantine confirmed infected systems, establish strict USB sanitization protocols for clean field operations, accept continued infection in isolated systems temporarily while maintaining critical audits.
- Pros: Protects clean government systems from immediate spread; maintains tax processing at majority of operations; targeted approach prioritizes uninfected network protection.
- Cons: Isolated systems operate with degraded capabilities; differential security creates confusion; potential taxpayer data exposure continues at infected locations.
- Type Effectiveness: Partially effective - protects clean areas but allows propagation within isolated zones.
Round 2: Taxpayer Data & Public Accountability (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): If Option A (shutdown) was chosen: Agency Director Janet Foster reports severe operational impact: “Field auditors can’t complete tax season audits without USB drives. Thousands of businesses are waiting for compliance reviews. State legislature is demanding answers about service disruptions.”
- Clue 5 (Minute 30): If Option B or C was chosen: Carlos discovers continued worm spread despite controls: “The malware is reinfecting clean USB drives when field auditors use them at businesses we haven’t fully sanitized yet. We’re fighting containment across hundreds of remote audit locations.”
- Clue 6 (Minute 40): Robert completes taxpayer data assessment: “Infected USB drives accessed tax databases containing information for approximately 45,000 taxpayers - SSNs, income data, business financial records, bank account information for direct deposit. State data breach notification law requires notification to affected citizens within 45 days.”
- Clue 7 (Minute 50): External threat intelligence reveals Raspberry Robin in government agencies typically leads to follow-on attacks: Ransomware targeting government backup systems or data exfiltration for identity theft and tax fraud. “This USB worm is initial access for financial crime targeting taxpayer information.”
- Clue 8 (Minute 55): State cybersecurity authority contacts agency: “We received automated alert about potential taxpayer data compromise at Department of Revenue. This triggers mandatory state-level incident review and potential legislative oversight. When can you brief us on citizen impact and remediation plan?”
Response Options:
- Option A: Comprehensive Government Security Remediation - Complete USB worm removal across all systems with state cybersecurity support, implement enterprise USB security controls, conduct thorough taxpayer data breach assessment, coordinate state notification and citizen breach letters.
- Pros: Eliminates all USB infections protecting taxpayer data and government operations; demonstrates full commitment to citizen data protection; provides definitive breach impact assessment.
- Cons: Extended remediation suspends field audits (4-6 weeks); citizen breach notification creates public trust concerns; state cybersecurity review costs $150K+; legislative oversight intensifies; media scrutiny of government security failures.
- Type Effectiveness: Super effective - comprehensive security restoration with complete worm elimination but maximum public service and political impact.
- Option B: Citizen Data Prioritized Response - Immediate remediation of taxpayer-facing systems and tax databases, establish sanitized USB workflow for critical field operations, implement real-time monitoring, conduct targeted breach assessment for confirmed taxpayer data exposure only.
- Pros: Maintains taxpayer data security as absolute priority; attempts tax season completion; demonstrates citizen-centric government service.
- Cons: Administrative systems may remain infected; breach assessment may be incomplete; state oversight may question partial response approach.
- Type Effectiveness: Moderately effective - protects taxpayer data systems but may leave gaps in overall government security.
- Option C: Multi-State Isac Collaboration & Inter-Agency Coordination - Engage MS-ISAC (Multi-State Information Sharing and Analysis Center) for Raspberry Robin government intelligence, coordinate with state cybersecurity authority for remediation support, maintain transparent communication with legislative oversight committees.
- Pros: Leverages government sector expertise on USB worm impacts; state partnership demonstrates collaborative governance; legislative transparency builds public trust.
- Cons: External coordination extends response timeline; information sharing reveals security gaps to other agencies; admission of limited internal government cybersecurity capability.
- Type Effectiveness: Moderately effective - improves response quality through collaboration but may extend timeline beyond public comfort.
Round Transition Narrative
After Round 1 → Round 2:
The team’s initial response determines whether the agency faces immediate public service disruption (shutdown approach) or continued field operation worm propagation (monitoring/isolation approach). Either way, the situation escalates dramatically when Compliance Officer Robert Park reveals that infected USB drives have accessed taxpayer databases containing sensitive financial information for 45,000 citizens - SSNs, income data, business records. State data breach notification law triggers strict notification timelines and mandatory state-level incident review. This transforms the incident from an internal IT problem to a public accountability crisis with legislative oversight and media scrutiny. Additionally, threat intelligence reveals Raspberry Robin in government agencies typically precedes identity theft and tax fraud operations targeting taxpayer information. State cybersecurity authority demands incident briefing, adding inter-agency coordination pressure to the technical response. The team must now balance taxpayer data protection, public service continuity, state oversight, legislative accountability, and field operation coordination simultaneously under public scrutiny.
Debrief Focus:
- Recognition of USB-based propagation in government field operations
- Taxpayer data protection and citizen trust responsibilities
- State data breach notification and legislative oversight requirements
- Public accountability and transparent government service
- MS-ISAC and inter-agency collaboration
Full Game Materials (120-140 min, 3 rounds)
Round 1: Initial Discovery & Government Operations Impact (35-40 min)
Opening: It’s mid-March at the State Department of Revenue - peak tax season with field auditors conducting business compliance reviews across the state. Agency Director Janet Foster receives concerning reports from Field Audit Supervisor Diana Martinez: USB drives used to collect taxpayer records during field audits are creating suspicious files and spreading infection faster than anticipated.
Team Action: Each player takes 2 actions to investigate using their role’s capabilities.
Key NPCs:
- Janet Foster (Agency Director): Responsible for tax collection operations and public service delivery
- Carlos Chen (IT Director): Managing government IT infrastructure with limited budget and civil service workforce
- Diana Martinez (Field Audit Supervisor): Coordinates distributed field auditors using USB for taxpayer data collection
- Robert Park (Compliance Officer): Ensures taxpayer data protection and state regulatory compliance
Round 1 Pressure Events:
- 15 min: Field auditor unable to complete business audit due to USB restrictions
- 25 min: Infected USB drives accessed taxpayer SSNs and income data
- 30 min: State legislature calls inquiring about field audit delays affecting state revenue
Round 2: Response Strategy & State Oversight Pressure (35-40 min)
Opening: MS-ISAC (Multi-State ISAC) reports Raspberry Robin in government agencies leads to ransomware or identity theft operations. Robert completes taxpayer data assessment: 45,000 citizens’ SSNs and financial information potentially compromised. State data breach notification law triggers 45-day citizen notification requirement. State cybersecurity authority demands incident briefing and remediation plan.
Response Options:
- Comprehensive government remediation with state cybersecurity support
- Citizen data prioritized approach maintaining tax operations
- MS-ISAC collaboration and inter-agency coordination
- Phased field operation recovery with transparent legislative communication
- Emergency notification with minimal details while investigation continues
Round 2 Pressure Events:
- 15 min: State legislative committee demands immediate briefing
- 25 min: Media FOIA request for incident details during active investigation
- 30 min: Field auditor union questions security requirements impacting workforce
- 35 min: Public criticism of government service disruptions during tax season
Round 3: Resolution & Government Sector Security Lessons (35-40 min)
Facilitation Questions: 1. What makes government cybersecurity different from private sector? 2. How do USB threats challenge distributed field operations? 3. What role does public accountability play in government security decisions? 4. How should government balance security and citizen services? 5. What partnerships are valuable for public sector cybersecurity? 6. How have USB threats evolved in government contexts?
Victory Conditions:
Advanced Challenge Materials (150-170 min, 3 rounds)
Additional Complexity Layers
For experienced teams seeking maximum challenge, add these complexity elements:
1. Legislative Oversight & Public Accountability
- State legislative committee demands immediate briefing during active incident
- FOIA requests from media organizations during investigation
- Public budget scrutiny of cybersecurity spending vs citizen services
- Civil service union concerns about employee responsibilities during incident
2. Multi-Agency Coordination Complexity
- State cybersecurity authority has oversight but limited enforcement
- Multiple state agencies using similar USB field operations (health inspectors, environmental compliance, business licensing)
- Federal IRS coordination for tax data protection requirements
- Inter-agency information sharing creating political sensitivities
3. Taxpayer Data Protection & Identity Theft Risks
- 45,000 taxpayers potentially exposed to identity theft
- Forensic uncertainty about data exfiltration vs access
- State notification law requires citizen letters creating public panic
- Credit monitoring costs for affected taxpayers ($50/person = $2.25M)
4. Field Auditor Workforce Dynamics
- Unionized civil service employees resistant to workflow changes
- Field auditors geographically distributed with varying tech capabilities
- Some auditors nearing retirement with limited cybersecurity awareness
- Field supervisor authority vs central IT control tensions
5. Public Budget Constraints
- Government operates on fixed annual budget with no contingency funds
- Incident response costs require legislative approval for emergency spending
- Competition between cybersecurity funding and citizen services
- Public criticism of “wasteful government IT spending”
6. Media and Public Relations in Government Context
- Government transparency requirements vs investigation confidentiality
- Media freedom of information access during active incident
- Public official accountability for security failures
- Social media amplification of government service disruptions
7. Tax Season Operational Criticality
- Field audit delays affect business compliance deadlines
- Tax processing tied to state budget and revenue forecasting
- Citizen complaints about government service failures
- Political consequences of tax season disruptions in election year