Stuxnet Research Facility Milestone - Planning Guide
Stuxnet Research Facility Milestone
Complete preparation guide for advanced research espionage scenario
This planning document provides comprehensive facilitation guidance for running the Stuxnet Research Facility Milestone scenario, featuring sophisticated research data manipulation, classified information exfiltration, and nation-state scientific espionage targeting breakthrough technology before Congressional presentation.
1. Quick Reference
Essential at-a-glance information for session setup
| Element | Details |
|---|---|
| Malmon | Stuxnet (Nuclear/Electric dual-type) |
| Difficulty Tier | Tier 3 (Expert) |
| Scenario Variant | Critical Infrastructure: Federal Research Laboratory |
| Organizational Context | Advanced Energy Research Institute: 400 scientists, federal research lab, classified projects environment |
| Primary Stakes | Classified research data + National competitive advantage + Scientific intellectual property |
| Recommended Formats | Full Game / Advanced Challenge |
| Essential NPCs | Dr. Elena Vasquez (Lead Research Scientist), Dr. James Morrison (Laboratory Director), Linda Park (Research Security Officer) |
| Optional NPCs | Senator Michael Brooks (Energy Committee Chair), International Research Partner, DOE Security Investigator, Foreign Intelligence Analyst |
Scenario Hook
Advanced Energy Research Institute is 48 hours from presenting decade-long breakthrough renewable energy research to Congress when sophisticated malware—infiltrated through international collaboration systems—begins manipulating experimental data while exfiltrating classified research to foreign adversaries.
Victory Condition
Team identifies sophisticated data manipulation and intellectual property theft, validates research integrity before Congressional presentation, protects classified information from foreign espionage, and maintains national laboratory mission while addressing nation-state cybersecurity threats.
2. Game Configuration Templates
Quick Demo Configuration (35-40 min)
Not recommended for this scenario. Research data integrity validation, classified information protection, and nation-state espionage complexity requires sustained investigation that cannot be compressed into demonstration format.
Lunch & Learn Configuration (60-75 min)
Not recommended for this scenario. Federal research laboratory security, scientific data validation, and international espionage implications require depth that abbreviated format cannot support.
Full Game Configuration (120-140 min)
Pre-Configured Settings:
- Number of Rounds: 3 rounds
- Actions per Player: 2 actions per round
- Investigation Structure: Open with scientific validation checkpoints
- Response Structure: Creative with classified information protection constraints
- Team Size: 5-6 players (full role complement)
- Success Mechanics: Dice/Cards with research integrity modifiers
- Evidence Type: Subtle with sophisticated concealment
- NPC Count: 4-5 (essential + 1-2 optional)
- Badge Tracking: On
Experience Focus: Complete immersive experience with sophisticated espionage investigation, research data validation, and classified information protection. Players balance technical investigation with scientific integrity, Congressional timelines, and national security implications.
Time Breakdown:
- Introduction & Roles: 10 min
- Scenario Briefing: 10 min
- Round 1 (Discovery & Data Anomaly Investigation): 30 min
- Round 2 (Espionage Scope & Attribution): 35 min
- Round 3 (Research Validation & Presentation Decision): 30 min
- Standard Debrief: 10 min
- Advanced Discussion: 10 min
Facilitation Notes: Emphasize tension between research timeline and data validation requirements. Guide players to understand scientific integrity cannot be compromised for political schedules. Introduce nation-state espionage complexity progressively. Allow team to grapple with presentation decision and intellectual property protection.
Advanced Challenge Configuration (150+ min)
Pre-Configured Settings:
- Number of Rounds: 4 rounds
- Actions per Player: 2 actions per round
- Investigation Structure: Complex multi-threaded (technical + scientific + geopolitical)
- Response Structure: Innovative solutions required across multiple domains
- Team Size: 6+ players (expanded roles or specialized teams)
- Success Mechanics: Complex (Research Integrity Status + Classification Security Status tracking)
- Evidence Type: Subtle with red herrings and sophisticated espionage tradecraft
- Attack Complexity: Multi-stage with data manipulation and exfiltration
- NPC Count: 6+ with competing priorities
- Badge Tracking: On with research security achievements
Experience Focus: Sophisticated challenge featuring nation-state scientific espionage, advanced research data forensics, international collaboration security, and critical decision-making about research integrity under Congressional pressure.
Time Breakdown:
- Introduction & Roles: 15 min
- Scenario Briefing: 15 min
- Round 1 (Data Anomaly Discovery): 30 min
- Round 2 (Espionage Investigation & Attribution): 35 min
- Round 3 (Scope Assessment & Exfiltration Analysis): 35 min
- Round 4 (Research Validation & Strategic Response): 30 min
- Extended Debrief: 20 min
- Advanced Discussion: 15 min
Facilitation Notes: Maximum complexity with minimal guidance. Introduce classified information handling requirements, international research collaboration security challenges, Congressional oversight dynamics, and nation-state technology acquisition strategies. Challenge assumptions about scientific collaboration security. Facilitate difficult presentation decision with incomplete validation.
3. Scenario Overview
Opening Presentation
“It’s Monday morning at the Advanced Energy Research Institute, 48 hours before breakthrough renewable energy research will be presented to Congress. Lead Research Scientist Dr. Elena Vasquez and her team of 50 scientists have spent a decade developing technology that could revolutionize U.S. energy independence—work representing billions in federal investment and potential transformation of national energy policy.
But during final data validation for the Congressional presentation, Dr. Vasquez notices something unsettling. Experimental results that were validated months ago now show subtle inconsistencies. Not obvious errors, but small variations in data points that experienced scientists recognize as ‘concerning.’
When the cybersecurity team investigates, they find sophisticated malware in the research computing systems—malware that shouldn’t be there, because these systems are supposedly air-gapped from external networks for classified research protection.
Laboratory Director Dr. James Morrison calls an emergency meeting. The Congressional presentation is Wednesday. Senator Michael Brooks is expecting demonstration of revolutionary technology. The research represents U.S. scientific leadership and competitive advantage. And sophisticated nation-state malware may have been manipulating research data while stealing classified breakthrough technology to provide foreign adversaries with American scientific innovations.
Your incident response team must determine what happened, validate research integrity, protect classified information, and decide whether breakthrough technology can be presented to Congress while nation-state adversaries may have stolen the very innovations that could define America’s energy future.”
Initial Symptoms to Present
- Experimental data showing subtle inconsistencies in final validation that could invalidate breakthrough research findings and Congressional presentation
- Research computing systems displaying normal operations and passing standard checks while data integrity validation reveals systematic manipulation
- Network monitoring detecting unexpected communication patterns on classified research networks that should be completely isolated
- International collaboration system logs showing unusual access patterns and data transfer activities during off-hours
- Backup research data showing different results than primary computing systems—suggesting active manipulation rather than calculation errors
- Timeline analysis revealing anomalies began shortly after establishment of international research partnership collaboration systems
Organizational Context Details
Organization Profile:
- Name: Advanced Energy Research Institute (federal research laboratory)
- Type: Critical Infrastructure (Scientific Research & National Laboratory)
- Size: 400 scientists and support staff, classified research environment, DOE oversight
- Key Assets: Breakthrough renewable energy technology, classified research data, decade of scientific innovation, national competitive advantage
- Regulatory Environment: DOE security requirements, classification handling, federal research integrity standards, Congressional oversight
Cultural Factors:
- Scientific excellence culture prioritizes peer review and data validation—scientists trust methodology over political timelines
- International collaboration tradition creates tension between research openness and classified information protection
- Congressional oversight and federal funding create pressure to demonstrate progress and justify continued investment
- Classification security requirements conflict with scientific collaboration norms of openness and data sharing
Malmon Characteristics in This Scenario
Stuxnet manifests as sophisticated nation-state espionage malware designed to infiltrate classified research networks through international collaboration systems, manipulate experimental data to compromise research integrity, and exfiltrate breakthrough technology to provide foreign adversaries with U.S. scientific innovations and competitive advantages.
Key Capabilities Demonstrated:
- Research Data Manipulation: Systematically alters experimental results and scientific calculations while maintaining plausible data patterns that pass automated validation but fail expert scientific review
- Classified Information Exfiltration: Establishes covert data exfiltration channels targeting intellectual property, research methodologies, and breakthrough technology details for foreign intelligence acquisition
- Collaboration System Compromise: Exploits international research partnership networks to bridge air-gapped classified systems during legitimate scientific data sharing activities
Vulnerabilities to Exploit:
- Scientific Validation Dependency: While malware can manipulate automated systems, experienced scientists detect anomalies through expert review and cross-validation with independent data sources
- Data Integrity Forensics: Research computing systems maintain comprehensive logs and backup data that reveal manipulation patterns when analyzed with proper forensic methodology
4. NPC Reference
Essential NPCs (Must Include)
NPC 1: Dr. Elena Vasquez (Lead Research Scientist)
- Position: Principal investigator for breakthrough renewable energy research, leading 50-scientist team through decade-long project
- Personality: Brilliant, methodical, absolutely committed to scientific integrity—will not present questionable data regardless of political pressure
- Agenda: Wants Congressional presentation to succeed but only with validated research; needs team to determine whether data can be trusted
- Knowledge: Deep understanding of experimental results and what “normal” data should look like; detected initial anomalies through scientific expertise
- Pressure Point: Decade of her career invested in this research; presentation could define her scientific legacy, but compromised data would destroy her professional reputation
- IM Portrayal Notes: Play her as the scientific integrity advocate who trusts data over deadlines. She says things like: “These results don’t match our theoretical models—something is systematically wrong, not just random error.” Use her to validate player investigation approaches and provide scientific context.
NPC 2: Dr. James Morrison (Laboratory Director)
- Position: Overall research facility operations, responsible for protecting classified information while maintaining scientific mission
- Personality: Strategic thinker, balances multiple priorities, concerned about national security implications and laboratory reputation
- Agenda: Wants to present breakthrough research to Congress but also protect classified information and national competitive advantage
- Knowledge: Understands political context, classification requirements, international collaboration security challenges, and federal research laboratory mission
- Pressure Point: Laboratory funding and mission depend on Congressional support; security breach could compromise facility clearance and future classified research authority
- IM Portrayal Notes: Use James to introduce strategic and political considerations. He raises questions like: “If foreign adversaries have stolen this breakthrough technology, what does that mean for U.S. energy independence and scientific leadership?” Balances scientific mission with security requirements.
NPC 3: Linda Park (Research Security Officer)
- Position: Responsible for classified information protection, facility security clearances, and federal research security compliance
- Personality: Detail-oriented, security-focused, takes classified information protection extremely seriously
- Agenda: Wants to identify security breach, protect classified data, and ensure foreign adversaries don’t gain U.S. scientific advantages
- Knowledge: Classification security protocols, international collaboration security requirements, DOE security regulations, espionage threat awareness
- Pressure Point: Professional responsibility for preventing classified information compromise; security breach on her watch affects career and national security
- IM Portrayal Notes: Linda is the security realist who understands espionage threats. Use her to provide evidence of data exfiltration and raise nation-state attribution. She introduces concepts like: “This isn’t about research integrity—this is about foreign intelligence services stealing American technological advantages.”
Optional NPCs (Add Depth)
NPC 4: Senator Michael Brooks (Energy Committee Chair)
- Position: Congressional Energy Committee leadership expecting groundbreaking research presentation
- Personality: Results-oriented politician, doesn’t understand scientific nuances, focused on national energy policy impact
- Agenda: Wants impressive research demonstration to justify federal research funding and support energy independence legislation
- Knowledge: Political context, federal funding implications, national energy policy priorities
- Pressure Point: Political reputation tied to supporting research funding; needs demonstrable return on taxpayer investment
NPC 5: International Research Partner
- Position: Foreign scientist collaborating on research through legitimate international partnership
- Personality: Defensive about collaboration security, concerned about being blamed for security breach
- Agenda: Wants to maintain research partnership and demonstrate proper security procedures
- Knowledge: International collaboration workflows, data sharing procedures, partnership establishment timeline
- Pressure Point: Professional reputation, future collaboration opportunities, potential diplomatic implications
NPC 6: DOE Security Investigator
- Position: Department of Energy security specialist investigating classified information compromise
- Personality: Methodical investigator, focused on attribution and counter-intelligence implications
- Agenda: Wants to identify espionage actors, assess damage to national security, and improve research security
- Knowledge: Nation-state espionage tactics, classified research protection requirements, federal security investigation protocols
- Pressure Point: National security responsibility, counter-intelligence mission, potential international incident implications
NPC Interaction Guidelines
When to introduce NPCs:
- Dr. Vasquez (Immediately): Opens scenario by briefing team on data anomalies discovered during final Congressional presentation validation
- Dr. Morrison (Round 1): Appears when initial investigation suggests sophisticated attack, raises strategic and security implications
- Linda Park (Round 1-2): Available throughout for security consultation, provides classified information protection context and exfiltration evidence
- Senator Brooks (Round 2-3): Calls to confirm presentation schedule and expectations, creates political pressure
- International Partner (Round 2): Contacted when investigation focuses on collaboration system compromise vectors
- DOE Investigator (Round 3): Arrives if espionage confirmed, handles attribution and counter-intelligence coordination
How NPCs advance the plot:
- Dr. Vasquez forces research integrity decision: “I cannot present compromised data to Congress regardless of political importance”
- Dr. Morrison balances competing priorities: “We need breakthrough technology presentation, but not at cost of giving adversaries our innovations”
- Linda Park escalates espionage implications: “This is nation-state intellectual property theft targeting U.S. scientific advantages”
- NPC conflicts create realistic tension: Senator wants presentation, scientist wants validation, security officer wants espionage investigation
5. Investigation Timeline
Round 1: Discovery Phase
Automatic Reveals (present to all teams):
- Data Anomaly Discovery: Final validation for Congressional presentation reveals subtle inconsistencies in experimental results that experienced scientists recognize as systematic manipulation rather than random errors
- System Compromise Evidence: Cybersecurity monitoring detects sophisticated malware in classified research computing systems that should be air-gapped from external networks
Detective Investigation Leads:
- Forensic analysis reveals sophisticated multi-component malware with capabilities specifically designed for research data manipulation and intellectual property exfiltration
- Timeline correlation shows malware presence began within two weeks of international research collaboration system establishment
- Code analysis reveals nation-state sophistication indicators: advanced obfuscation, stolen research credentials, specific targeting of scientific computing platforms
Protector System Analysis:
- Research data integrity verification reveals systematic manipulation of experimental results affecting approximately 30% of critical data points
- Classified information system analysis shows unauthorized access to breakthrough technology documentation and research methodologies
- Network security assessment reveals collaboration systems created bridge between unclassified partnership networks and air-gapped classified research environments
Tracker Network Investigation:
- Network traffic analysis reveals covert data exfiltration channels operating during off-hours when security monitoring is reduced
- Command structure analysis shows sophisticated multi-stage operation: initial infiltration (complete), data manipulation (ongoing), intellectual property exfiltration (active)
- Attribution indicators point to nation-state scientific espionage targeting U.S. research laboratories and breakthrough technologies
Communicator Stakeholder Insights:
- Dr. Vasquez explains data anomalies: “The results are plausible enough to pass automated validation, but they don’t match our theoretical models—someone who understands our research manipulated the data”
- International collaboration partners describe legitimate data sharing procedures that inadvertently created security vulnerabilities during partnership establishment
- Classification security staff emphasize DOE requirements: “Classified research compromise requires federal security investigation and potential international incident notification”
Crisis Manager Coordination Discoveries:
- Congressional presentation timeline: 48 hours until demonstration of breakthrough technology to Energy Committee leadership
- Impact assessment: Research represents decade of work, billions in federal investment, and potential transformation of U.S. energy policy
- Scope evaluation: Malware affects all classified research systems, complete data validation required before presentation can proceed with integrity
Threat Hunter Proactive Findings:
- Malware analysis reveals nation-state espionage methodology: research-specific targeting, long-term persistent access, dual objectives of manipulation and exfiltration
- Similar attack patterns identified in intelligence reports of foreign adversaries targeting U.S. national laboratories for technology acquisition
- Strategic assessment suggests coordinated campaign against federal research facilities to compromise American scientific competitive advantages
Round 2: Investigation Phase
Automatic Reveals:
- Exfiltration Scope: Deep forensic analysis reveals malware has exfiltrated comprehensive classified research data including breakthrough technology details, experimental methodologies, and scientific innovations
- Manipulation Strategy: Data analysis shows malware implements sophisticated manipulation strategy: subtle errors that would compromise research validity without obviously revealing attack
Detective Investigation Leads:
- Deep malware analysis reveals embedded targeting priorities matching classified research areas—suggesting adversary had detailed knowledge of research programs and value
- Attribution forensics identify code signatures, operational security patterns, and strategic objectives consistent with specific nation-state scientific espionage programs
- Incident reconstruction shows attack planning began before collaboration system establishment—adversary deliberately targeted partnership as infiltration vector
Protector System Analysis:
- Comprehensive research data validation reveals malware manipulation designed to invalidate research conclusions during Congressional peer review—suggesting goal of embarrassing U.S. scientific credibility
- Classified information damage assessment shows complete breakthrough technology specifications exfiltrated to foreign adversary
- Recovery analysis indicates research data can be validated using independent backup sources and experimental replication, estimated 5-7 days for comprehensive validation
Tracker Network Investigation:
- Network forensics map complete exfiltration timeline: systematic data theft over six weeks targeting highest-value classified research and intellectual property
- Exfiltration destination analysis reveals sophisticated multi-hop routing designed to obscure ultimate recipient nation
- International collaboration security review shows partnership establishment procedures created predictable vulnerability window that adversary exploited
Communicator Stakeholder Insights:
- Dr. Vasquez provides scientific validation approach: “We have independent backup data and can replicate key experiments, but comprehensive validation requires time we don’t have before Wednesday”
- Senator Brooks’ office confirms Congressional expectations: “Energy Committee leadership expects demonstration of revolutionary technology—this presentation has significant policy and funding implications”
- International research partners express concern about being characterized as security vulnerability: “Our collaboration followed all proper procedures—this is sophisticated attack, not negligence”
Crisis Manager Coordination Discoveries:
- Federal security reporting requirements initiated: DOE Security, FBI Counterintelligence, and State Department all require incident notification
- Research integrity assessment: Presentation can proceed if data validation confirms manipulation was detected and corrected, or must be postponed if uncertainty remains
- Diplomatic implications: Attribution to specific nation raises international relations and foreign policy considerations beyond cybersecurity incident
Threat Hunter Proactive Findings:
- Intelligence analysis suggests this research was specifically targeted due to breakthrough nature and potential to provide U.S. with major energy independence advantages
- Broader threat assessment identifies pattern of nation-state targeting of federal research laboratories conducting strategic technology development
- Geopolitical context reveals adversary motivation: acquire U.S. technological innovations, compromise American scientific credibility, and eliminate competitive advantages
Round 3: Response Phase
Automatic Reveals:
- Decision Point: Dr. Morrison formally requests incident response team assessment: “Congressional presentation is in 36 hours. Can we validate research integrity in time, or must we postpone and explain classified information compromise?”
- Strategic Stakes: DOE Security confirms that classified technology exfiltration to foreign adversary represents major compromise of U.S. scientific competitive advantage
Evidence Based on Player Actions:
- If team recommends postponing presentation: Dr. Morrison supports decision, coordinates Congressional notification explaining cybersecurity incident and validation timeline
- If team proposes rapid validation using backup data: Dr. Vasquez expresses scientific concern about compressed timeline and thoroughness of verification
- If team focuses on espionage damage assessment: DOE Security coordinates counter-intelligence investigation but emphasizes immediate priority is research integrity
- If team attempts to minimize classification compromise: Linda Park indicates federal regulations require full damage assessment before determining presentation viability
Malware Behavior Evolution:
- If detection approaches succeed: Malware maintains persistence attempting to continue exfiltration of validation data and response strategies
- If presentation proceeds without full validation: Risk that additional subtle manipulation remains undetected, potentially compromising research credibility during Congressional peer review
- If comprehensive validation initiated: Research integrity can be confirmed but timeline extends beyond Congressional presentation schedule
Final Complications (Advanced Challenge):
- Intelligence agencies request team preserve evidence for attribution and future operations against nation-state espionage programs
- Congressional staff pressure increases as presentation deadline approaches: “Committee leadership has cleared schedule for this briefing—postponement has significant political consequences”
- Nation-state adversary aware of detection may attempt additional compromise to destroy evidence or undermine response confidence
6. Response Options
Type-Effective Approaches
Most Effective (Electric/Behavioral Strength):
- Comprehensive Research Data Validation Using Independent Sources: Systematic verification of all affected data using backup systems, independent measurements, and experimental replication—most reliable but requires extended timeline (DC 12, high confidence but 5-7 day schedule)
- Behavior-Based Research Integrity Analysis: Leverage Dr. Vasquez’s scientific expertise to identify manipulation patterns and validate critical breakthrough findings using theoretical models and peer review (DC 14, faster timeline but requires expert judgment)
Moderately Effective:
- Targeted Data Validation with Congressional Presentation Subset: Focus validation on specific breakthrough findings needed for presentation while flagging additional data for post-presentation verification (DC 16, meets timeline but includes uncertainty)
- Enhanced Monitoring with Ongoing Validation: Present research with caveat that comprehensive validation is underway, providing transparent disclosure of cybersecurity incident (DC 14, maintains integrity but reduces political impact)
Least Effective (Nuclear Resistance):
- Automated Validation Tools: Sophisticated manipulation designed to evade automated checks—standard validation tools cannot detect nation-state data manipulation (DC 20, very low confidence)
- Rapid Presentation Without Full Validation: Proceeding with Congressional briefing despite unresolved data integrity concerns risks scientific credibility and potential embarrassment during peer review (Automatic failure, Dr. Vasquez refuses)
Creative Response Guidance
Encourage player innovation in these areas:
- Hybrid Validation Strategy: Team might propose presenting validated core findings while transparently disclosing ongoing verification of supporting data—balancing scientific integrity with Congressional timeline
- Expert Review Panel: Convening external scientific experts for rapid peer review to provide independent validation within compressed timeline
- Congressional Transparency: Proposing briefing that includes both breakthrough technology and sophisticated espionage incident as demonstration of research security awareness
Common creative solutions players develop:
- Phased Presentation Approach: Delivering initial Congressional briefing with validated findings while scheduling follow-up detailed technical presentation after complete validation
- Counter-Intelligence Value: Framing espionage incident as opportunity to demonstrate U.S. research security capabilities and adversary threat awareness
- International Collaboration Security Enhancement: Using incident to develop improved protocols that maintain scientific collaboration while protecting classified research
7. Round-by-Round Facilitation Guide
Round 1: Discovery
Opening Narration:
“It’s Monday morning, 48 hours before breakthrough renewable energy research will be presented to Congress. Dr. Elena Vasquez calls an emergency meeting. ‘We have a serious problem,’ she begins, pulling up validation data on the screen. ‘I was doing final checks before Wednesday’s presentation, and experimental results that were solid months ago now show inconsistencies. Not obvious errors—subtle variations that shouldn’t exist.’ She looks at Laboratory Director Dr. James Morrison. ‘I asked cybersecurity to check our computing systems. They found sophisticated malware in our classified research networks.’ Morrison’s expression is grim. ‘Senator Brooks is expecting demonstration of revolutionary technology on Wednesday. This research represents a decade of work and billions in federal investment. But if foreign adversaries have compromised our data and stolen our breakthrough technology…’ He turns to your team. ‘We need to know what happened, whether our research is valid, and what we’re going to tell Congress.’”
IM Questions to Ask:
- “Dr. Vasquez is describing data anomalies that are ‘systematically wrong, not random errors.’ What does that pattern tell you about the nature of this compromise, and how would you validate research integrity?”
- “You’re looking at malware in research systems that should be air-gapped for classified information protection. How did this compromise occur, and what does the sophistication suggest about the adversary?”
- “The malware shows capabilities for both data manipulation and exfiltration. What are the implications for research integrity and national competitive advantage?”
Expected Player Actions:
- Research Data Forensic Analysis: Reveal systematic manipulation patterns affecting 30% of critical experimental results
- Classified Information Damage Assessment: Discover comprehensive exfiltration of breakthrough technology and intellectual property
- Collaboration System Security Investigation: Map compromise vector through international research partnership networks bridging air-gapped systems
- Scientific Validation Planning: Develop approach for verifying research integrity using independent sources and expert review
Malmon Identification Moment:
“As you analyze the attack methodology, the sophisticated capabilities become clear. Data manipulation designed to compromise research validity. Classified information exfiltration targeting scientific advantages. Nation-state resources and planning. This is Stuxnet-class espionage—sophisticated nation-state malware specifically designed to steal U.S. technological innovations and compromise scientific credibility. You’re dealing with an adversary targeting America’s research leadership and competitive advantages.”
Round Conclusion:
“Your initial investigation reveals the scope: sophisticated nation-state malware infiltrated through international collaboration systems, systematically manipulated experimental data while exfiltrating classified breakthrough technology to foreign adversaries. Dr. Vasquez’s scientific assessment is clear: ‘These results cannot be trusted without comprehensive validation.’ Dr. Morrison faces strategic reality: ‘Wednesday’s Congressional presentation could define national energy policy and our laboratory’s future funding. But presenting compromised research—or explaining that adversaries stole our innovations—both have serious consequences.’ Linda Park adds security context: ‘This is nation-state espionage targeting U.S. scientific leadership. We need federal counter-intelligence coordination immediately.’ The investigation deepens as you race against Congressional deadline and foreign intelligence services.”
Round 2: Investigation
Situation Update:
“Twenty-four hours into the investigation, the espionage scope becomes alarmingly clear. Forensic analysis reveals the adversary exfiltrated complete classified research data—everything needed to replicate U.S. breakthrough technology. Linda Park explains: ‘They didn’t just steal data. They have our experimental methodologies, our theoretical models, our scientific innovations. Everything that gives America competitive advantage in renewable energy.’ Dr. Vasquez provides scientific context: ‘The data manipulation was strategic. Subtle errors that would invalidate our conclusions during Congressional peer review—designed to embarrass U.S. research credibility.’ Senator Brooks’ office calls confirming Congressional expectations for Wednesday. The presentation is 36 hours away.”
IM Questions to Ask:
- “The adversary exfiltrated complete breakthrough technology while manipulating research data. What does this dual-objective strategy tell you about their goals and sophistication?”
- “Dr. Vasquez can validate research using backup data and experimental replication, but comprehensive validation requires 5-7 days. What’s your confidence in partial validation for Congressional presentation timeline?”
- “Attribution points to specific nation-state adversary targeting U.S. scientific advantages. How does this change your response strategy and what additional coordination is required?”
Pressure Points to Introduce:
- Congressional Expectations: Senator Brooks’ staff confirms Energy Committee leadership cleared Wednesday schedule for groundbreaking technology demonstration—postponement has political consequences
- Scientific Integrity: Dr. Vasquez emphasizes: “I will not present questionable data to Congress regardless of political importance. Scientific credibility is non-negotiable.”
- National Security Impact: DOE Security confirms classified technology compromise represents major loss of U.S. competitive advantage in strategic energy sector
Round Conclusion:
“Your deep investigation has mapped the complete espionage operation: nation-state adversary deliberately targeted international collaboration as infiltration vector, systematically stole classified breakthrough technology over six weeks, and manipulated research data to compromise U.S. scientific credibility. You understand both the technical compromise and the strategic implications. Dr. Morrison calls final meeting. ‘Congressional presentation is in 36 hours. I need your assessment: Can we validate research integrity in that timeline, or must we postpone and explain that foreign adversaries compromised classified research?’ Dr. Vasquez adds: ‘I can validate core breakthrough findings with high confidence, but comprehensive verification requires more time.’ The moment of decision approaches.”
Round 3: Response
Critical Decision Point:
“Tuesday afternoon, 24 hours before Congressional presentation. Dr. Morrison sits with Dr. Vasquez, Linda Park, and your incident response team. ‘I need your formal recommendation,’ he states clearly. ‘We have three options: Present breakthrough research Wednesday with validated core findings, postpone presentation for comprehensive data validation, or brief Congress on both breakthrough technology and sophisticated espionage incident. Each option has consequences. What do you recommend, and what’s your confidence level?’”
IM Questions to Ask:
- “What level of scientific validation do you need before recommending Congressional presentation of breakthrough research, and can you achieve that confidence in 24 hours?”
- “How do you balance competing priorities: Congressional expectations, scientific integrity, classified information protection, and counter-intelligence investigation?”
- “If you recommend postponement, what specific validation criteria would you require, and how do you explain sophisticated espionage compromise to Congressional leadership?”
Success and Failure Branches:
If team recommends comprehensive validation with postponement:
“Dr. Morrison nods seriously. ‘Scientific integrity comes first. We postpone.’ He turns to prepare Congressional notification. Your team coordinates comprehensive validation using backup data and experimental replication. Senator Brooks is disappointed but understands: ‘Protecting research credibility is essential.’ Two weeks later, fully validated breakthrough technology is presented to Congress with additional briefing on sophisticated espionage threat and enhanced security measures. The research demonstrates both scientific excellence and security awareness.”
If team proposes validated core findings presentation:
“Dr. Vasquez considers carefully. ‘If we focus validation on core breakthrough findings using independent backup data and theoretical models, I can achieve high confidence by tomorrow.’ Dr. Morrison agrees: ‘We present validated research with transparent disclosure that comprehensive verification is ongoing.’ Your team develops detailed validation protocols working with scientific experts. Congressional presentation proceeds with both breakthrough technology demonstration and sophisticated security awareness. It’s a high-wire act, but careful approach succeeds.”
If team attempts presentation without sufficient validation:
“Dr. Vasquez intervenes. ‘I cannot present data to Congress without confidence in its integrity. My scientific reputation and research credibility depend on accuracy, not political timelines.’ Dr. Morrison supports: ‘We postpone until validation is complete. Congressional disappointment is manageable. Presenting compromised research is not.’ Your technical approach was sound, but you learned that in federal research, scientific integrity and professional ethics override political schedules.”
Resolution Narration:
“Three weeks later, fully validated breakthrough renewable energy research is presented to Congress with comprehensive security briefing on nation-state espionage threat. Your response not only protected research integrity but provided critical intelligence about adversary scientific espionage capabilities. The FBI attributes the attack, DOE implements enhanced research security protocols, and your team’s MalDex entry on nation-state intellectual property theft becomes required reading for federal research laboratory defenders. Dr. Vasquez sends personal message: ‘Thank you for protecting scientific integrity when political pressure was intense. That’s what research excellence requires.’”
Round 4+ (Advanced Challenge Only)
Round 4: Long-Term Research Security and Counter-Intelligence
“Six months after the incident, your successful response has led to broader mission: DOE and FBI want you to help develop sector-wide defenses against nation-state scientific espionage targeting federal research laboratories. Intelligence suggests the attack on Advanced Energy Research Institute was part of coordinated campaign against U.S. research facilities conducting strategic technology development.”
Advanced Challenge Elements:
- Develop comprehensive research security protocols that protect classified information while maintaining legitimate international scientific collaboration
- Create research data integrity validation frameworks that detect sophisticated manipulation through expert scientific review
- Design counter-intelligence coordination processes balancing research mission, security requirements, and federal investigation needs
- Address strategic implications: How does U.S. protect scientific competitive advantages while maintaining research collaboration essential for innovation?
Nation-State Adversary Evolution:
- Intelligence reveals adversary accelerates scientific espionage programs after detection—developing more sophisticated research infiltration techniques
- Geopolitical context evolves: International research collaboration becomes strategic battleground between openness and security
- Broader federal research security: What you learned has implications for all national laboratories conducting classified strategic technology research
8. Pacing & Timing Notes
Time Management Strategies
If Running Long:
- Condense Round 2 attribution analysis—provide nation-state intelligence as automatic reveal
- Streamline NPC interactions—combine Senator and DOE Investigator into single pressure conversation
- Fast-forward through technical malware details—provide summary of capabilities
- Abbreviate final resolution—focus on immediate presentation decision
If Running Short:
- Expand scientific validation discussion with detailed data analysis and expert review procedures
- Add NPC complexity: conflicting priorities between scientist (integrity), director (mission), security officer (classification protection)
- Develop attribution investigation: deep dive into nation-state espionage tradecraft and strategic objectives
- Extend response planning: comprehensive research security protocol development
If Team is Stuck:
- On data manipulation detection: Have Dr. Vasquez explain: “Automated validation passes, but the results don’t match theoretical models—experienced scientists can detect what systems miss”
- On compromise vector: Provide reveal: “International collaboration systems created bridge between unclassified partnership networks and air-gapped classified research”
- On presentation decision: Have Dr. Morrison ask: “What validation confidence level do you need before recommending Congressional briefing?”
- On espionage implications: Have Linda Park emphasize: “This isn’t just about data integrity—adversaries now have complete U.S. breakthrough technology”
Engagement Indicators
Positive Signs:
- Team debates presentation decision with genuine consideration of scientific integrity vs. Congressional timeline
- Players demonstrate understanding of research data validation and why expert review matters
- Discussion includes nation-state espionage implications beyond immediate incident
- Team coordinates role-based investigation (Detective on malware, Protector on data integrity, Tracker on exfiltration)
Warning Signs:
- Team oversimplifies scientific validation (“just check the data and present”)
- Confusion about research integrity vs. cybersecurity technical response
- Frustration with Congressional pressure or timeline constraints
- Team avoids espionage strategic implications
9. Debrief Discussion Points
Critical Learning Objectives
Technical Concepts:
- Research Data Integrity: Understanding how sophisticated malware can manipulate scientific results while evading automated validation, requiring expert scientific review
- Classified Information Protection: Learning research security challenges balancing international collaboration with intellectual property protection
- Nation-State Scientific Espionage: Recognizing sophistication indicators distinguishing foreign intelligence operations from conventional cybercrime
- Air-Gap Compromise Through Collaboration: Understanding how legitimate partnership systems can create bridges to isolated classified networks
Collaboration Skills:
- Multi-Stakeholder Coordination: Balancing scientist (integrity), director (mission), security officer (classification), and Congressional (policy) priorities
- Scientific Validation Methodology: Coordinating technical cybersecurity investigation with research data verification requiring domain expertise
- Strategic Decision-Making: Making presentation recommendations balancing incomplete validation, political pressure, and professional ethics
Reflection Questions
Scenario-Specific:
- “When Dr. Vasquez first mentioned data anomalies that ‘don’t match theoretical models,’ what made you trust scientific expertise over automated validation? What does that tell you about the value of domain knowledge in detecting sophisticated threats?”
- “The adversary both exfiltrated breakthrough technology AND manipulated research data. What does this dual-objective strategy reveal about nation-state espionage goals beyond simple information theft?”
- “Dr. Morrison asked for presentation recommendation 24 hours before Congressional briefing. Walk through your decision: what validation confidence did you need, and how did you balance competing pressures?”
- “International collaboration created the compromise vector, but also represents legitimate research mission. How do you balance openness essential for science with security necessary for classified research?”
Real-World Connections:
- “Nation-state adversaries routinely target U.S. federal research laboratories for strategic technology acquisition. What does this mean for research security and scientific competitive advantage protection?”
- “In your professional environment, where do you have tension between collaboration/sharing and security/protection? How do you balance these competing values?”
- “This scenario involved validating research integrity under political pressure. How do you maintain professional standards when timelines and stakeholder expectations create compromise pressure?”
- “What are implications of foreign adversaries acquiring U.S. breakthrough technologies through espionage rather than independent research? How does this affect innovation and competitive advantages?”
MalDex Documentation Prompts
Encourage teams to document:
- Research Data Integrity Validation: Techniques for detecting sophisticated manipulation requiring expert scientific review beyond automated validation
- Collaboration Security Protocols: Approaches for maintaining international research partnerships while protecting classified information
- Nation-State Espionage Attribution: Sophistication indicators and strategic objective analysis distinguishing foreign intelligence operations
- Scientific Integrity Decision Framework: Balancing research validation requirements with Congressional timelines and political pressure
- Classified Research Protection: Lessons about protecting intellectual property and competitive advantages in federal laboratory environments
- Counter-Intelligence Coordination: Best practices for coordinating cybersecurity investigation with federal security agencies during espionage incidents
10. Facilitator Quick Reference
Type Effectiveness Chart
Stuxnet (Nuclear/Electric dual-type):
Strong Against:
- Bug-type defenses (automated validation tools ineffective against sophisticated manipulation)
- Normal-type security (conventional research security insufficient for nation-state espionage)
- Psychic-type classification systems (standard protection inadequate for targeted intellectual property theft)
Weak Against:
- Electric-type defenses (expert scientific review detects anomalies automated systems miss)
- Psychic-type analysis (experienced researcher expertise validates data integrity through theoretical models)
- Steel-type controls (physical research security and collaboration access controls prevent infiltration)
Resists:
- Fire-type responses (aggressive rapid validation risks missing sophisticated manipulation)
- Grass-type containment (designed to spread through collaboration networks and air-gap bridges)
Vulnerable To:
- Electric-type comprehensive data validation using independent sources and expert review
- Psychic-type behavior analysis leveraging scientific domain expertise
Common Facilitation Challenges
Challenge 1: Team oversimplifies research validation or underestimates scientific integrity requirements
IM Response: “Dr. Vasquez pulls up the detailed analysis. ‘Look at this manipulation—it passes every automated check, maintains plausible data patterns, but violates our theoretical models. This is sophisticated attack designed to evade standard validation. I cannot stake my scientific reputation and a decade of research on rapid verification. Science requires methodical validation, not rushed assumptions.’”
Challenge 2: Team paralyzed by competing priorities or Congressional pressure
IM Response: “Dr. Morrison recognizes your dilemma. ‘Let me clarify the framework: Scientific integrity is non-negotiable—that’s professional and ethical reality. Congressional expectations are important but secondary. Within integrity constraint, we optimize for timeline and mission. So the question becomes: what validation gives you confidence in research integrity, and how fast can you get there?’”
Challenge 3: Team focuses exclusively on technical investigation and misses espionage strategic implications
IM Response: “Linda Park interrupts the technical discussion. ‘I need you to understand the strategic picture: A foreign adversary now has complete specifications for U.S. breakthrough renewable energy technology—innovations that could have provided American energy independence and competitive advantage. This isn’t just about research integrity. This is about national security and scientific leadership.’”
Challenge 4: Team wants to present without sufficient validation to meet Congressional timeline
IM Response: “Dr. Vasquez speaks clearly: ‘I appreciate political pressure, but I will not present questionable data to Congressional leadership. My scientific credibility and professional ethics require validation confidence. If that means postponement, I support that decision. Research integrity is absolute.’”
Dice/Success Mechanics Guidelines
For this scenario:
DC Ranges:
- Research Data Forensic Analysis: DC 14 (sophisticated manipulation designed to evade automated validation)
- Scientific Validation Using Expert Review: DC 13 (domain expertise enables detection)
- Classified Information Damage Assessment: DC 15 (comprehensive exfiltration analysis)
- Nation-State Attribution Analysis: DC 16 (sophisticated operational security tradecraft)
- Comprehensive Data Validation: DC 12 (time-consuming but technically achievable with independent sources)
- Rapid Presentation-Timeline Validation: DC 18 (high risk of insufficient verification)
Type Effectiveness Modifiers:
- Electric-type approaches (expert scientific review, independent validation): -3 to DC
- Psychic-type approaches (theoretical model validation, domain expertise): -2 to DC
- Steel-type approaches (collaboration security controls): -2 to DC
- Fire-type approaches (aggressive rapid validation): +3 to DC
- Bug-type approaches (automated validation tools): +5 to DC
Automatic Success Conditions:
- Comprehensive data validation using independent sources and experimental replication (with appropriate timeline)
- Dr. Vasquez scientific approval for presentation (if team demonstrates sufficient validation confidence)
- Federal coordination for espionage investigation (if team engages proper counter-intelligence protocols)
Automatic Failure Conditions:
- Attempting Congressional presentation without addressing data integrity concerns
- Relying solely on automated validation for sophisticated nation-state manipulation
- Ignoring scientific integrity requirements due to political pressure
11. Scenario Customization Notes
Difficulty Adjustments
Make Easier:
- Reduce data manipulation sophistication: make anomalies more obvious and detectable with standard validation
- Simplify Congressional pressure: extend timeline to one week instead of 48 hours
- Streamline classification context: focus on technical investigation without complex federal security requirements
- Provide clearer scientific validation: make expert review processes more straightforward
Make Harder:
- Add active adversary response: nation-state attempts additional manipulation or evidence destruction when detection occurs
- Introduce conflicting scientific opinions: expert disagreement about validation sufficiency creates additional uncertainty
- Add insider threat complexity: suggestion that adversary may have recruited research insider to assist infiltration
- Expand scope: evidence suggests multiple federal research laboratories targeted simultaneously
Industry Adaptations
For Private Research/Pharmaceutical Context:
- Replace federal classification with trade secrets and intellectual property protection
- Adjust regulatory environment from DOE to FDA or patent law
- Modify timeline pressure from Congressional presentation to product launch or investor briefing
For University Research Context:
- Adapt scenario to academic research with grant funding pressure instead of Congressional oversight
- Change NPCs to university administrators, grant officers, and academic peer reviewers
- Adjust stakes from national security to research funding and academic reputation
For Financial Research/Analysis Context:
- Shift focus to proprietary financial models and investment research data manipulation
- Replace scientific validation with financial analysis verification and regulatory compliance
- Adjust stakeholders to investors, regulators, and competitive financial institutions
Experience Level Adaptations
For Novice Teams:
- Simplify scientific concepts with clear explanations of research validation and data integrity
- Reduce sophistication: present malware with obvious manipulation requiring basic forensic analysis
- Provide guided investigation with Dr. Vasquez offering frequent validation and scientific context
- Streamline competing priorities: focus on data integrity vs. timeline rather than complex stakeholder coordination
For Expert Teams:
- Add scientific depth: detailed data manipulation analysis, theoretical model validation, experimental replication planning
- Introduce counter-intelligence complexity: sophisticated attribution analysis and strategic espionage assessment
- Expand strategic implications: broader federal research security, international collaboration protocols, competitive advantage protection
- Require innovative solutions: no pre-defined validation approach works perfectly, team must develop creative hybrid methodology
12. Cross-References
Additional Scenario Variants
- Stuxnet Manufacturing Deadline: stuxnet-manufacturing-deadline-planning.qmd - Manufacturing context with production pressure
- Stuxnet Power Plant: stuxnet-power-plant-planning.qmd - Nuclear facility with critical infrastructure implications
- Stuxnet Water Treatment: stuxnet-water-treatment-planning.qmd - Municipal infrastructure with public health stakes
Additional Resources
MITRE ATT&CK Techniques:
- T1583 (Acquire Infrastructure): Establishing international collaboration compromise vector
- T1565 (Data Manipulation): Research data systematic manipulation
- T1567 (Exfiltration Over Web Service): Classified information intellectual property theft
- T1078 (Valid Accounts): Stolen research credentials for classified system access
Real-World References:
- Nation-state targeting of U.S. national laboratories and federal research facilities
- Scientific espionage cases involving classified research and breakthrough technology theft
- International research collaboration security challenges
Professional Development:
- Research security and classified information protection
- Scientific integrity and data validation methodologies
- Counter-intelligence coordination and federal security investigation protocols
Notes for IM Customization
What worked well:
What to modify next time:
Creative player solutions to remember:
Timing adjustments needed: