1. Quick Reference

Element Details
Malmon Code Red (Worm/Stealth) ⭐⭐⭐
Difficulty Tier Tier 3 (Expert) - National security implications and federal coordination
Scenario Variant Government Portal - Tax Season Crisis
Organizational Context Department of Public Services: State agency serving 2.5 million citizens, managing 40+ government service websites during tax season
Primary Stakes Citizen service delivery + Government operations + National security implications + Public trust
Recommended Formats Advanced Challenge (150-180 min)
Essential NPCs Director Margaret Foster (Agency Director), Captain James Mitchell (Information Security Officer), Sarah Reynolds (Public Services Manager), Agent Nicole Park (FBI Cyber Division)
Optional NPCs Federal cybersecurity agencies, State government officials, Media contacts, Citizen advocates

Scenario Hook

“The Department of Public Services is managing peak tax season traffic when their IIS servers hosting citizen portals for tax filing, license renewals, and benefit applications begin displaying defacement messages. The compromised government servers are now participating in coordinated internet attacks, creating both immediate service disruption and serious national security concerns.”

Victory Condition

Successfully contain Code Red worm, restore citizen services for tax filing deadline, stop government infrastructure participation in internet-wide attacks, coordinate with federal agencies, and protect national security while maintaining public trust.

2. Organization Context

Department of Public Services: Government Infrastructure Under Attack During Tax Season

Quick Reference

  • Organization: State Department of Public Services, managing 40+ government web portals serving 2.5 million citizens, 350 employees (180 IT staff, 120 customer service, 50 administrative/management)
  • Key Assets at Risk: Tax Filing Infrastructure & Citizen Service Delivery, Government Operations Continuity, National Security & Federal Coordination
  • Business Pressure: Monday morning, 48 hours before state tax filing deadline—Code Red worm discovered on servers hosting tax portal and critical citizen services during peak filing period
  • Core Dilemma: Patch infected servers NOW causing 48-hour service outage during tax deadline BUT citizens miss filing deadline, OR Keep systems running for tax deadline BUT government infrastructure participates in attacks against federal systems
Detailed Context
Organization Profile

Type: State Department of Public Services delivering citizen-facing government services through web portals including tax filing, business licensing, vehicle registration, benefit applications, emergency services access, and public information systems.

Size: 350 state employees including 180 IT infrastructure staff managing 40+ government web portals and backend systems, 120 customer service representatives handling citizen inquiries and technical support during tax season peak, 35 security and compliance personnel ensuring FISMA compliance and data protection, 15 executive and policy staff.

Operations: Primary government service delivery mechanism for 2.5 million state residents, processing $4.2 billion in annual tax revenue through online portal, managing 280,000 business licenses and registrations, delivering emergency services coordination and public safety information, operating unemployment benefits system serving 65,000 active claimants, maintaining 24/7 citizen access to government services.

Critical Services: State tax filing portal (legal deadline-driven, no extension authority at state level), emergency services coordination system, unemployment benefit disbursement platform, business licensing for economic continuity, vehicle registration and driver’s licensing for public safety.

Technology Infrastructure: Legacy IIS-based web server architecture inherited from late 1990s modernization initiative, shared hosting infrastructure consolidating multiple government services on common servers “for cost efficiency and resource optimization,” minimal network segmentation between citizen services and internal government communications, backup systems delayed 3 years due to budget constraints.

Current Peak Period: Tax season operations at maximum capacity—customer service receiving 4,500 daily inquiries, web portal traffic at 340% of baseline levels, temporary seasonal staff handling surge demand, IT maintenance postponed until “after tax deadline” per annual operational policy.

Key Assets & Impact

Tax Filing Infrastructure & Citizen Service Delivery: State tax portal processing 180,000 last-minute filings in final 48 hours before deadline, $890 million in tax payments at risk of missing legal deadline—Code Red worm degrading server performance threatening citizen access where state has no authority to extend deadline (federal tax deadline drives state deadline), service disruption creates citizen financial penalties for late filing, political crisis as taxpayers blame government for infrastructure failure during legally mandated deadline, voter confidence in government technology capabilities eroded.

Government Operations Continuity: Emergency services coordination system, unemployment benefit disbursement platform serving 65,000 claimants expecting weekly payments, business licensing system where delays halt new business formations and renewals creating economic disruption, vehicle registration affecting 45,000 pending transactions—worm infection threatening operational continuity across essential government functions where private sector alternatives don’t exist, citizens depend on government as sole provider of mandatory legal services.

National Security & Federal Coordination: State government infrastructure participating in coordinated attacks against federal systems and critical infrastructure—Department of Homeland Security detecting attack traffic originating from state networks, FBI investigating potential compromise of government communications, classified law enforcement coordination systems potentially accessible through compromised infrastructure, state becoming national security liability during infrastructure worm outbreak, federal-state relationships strained by state’s role as unwitting attack platform.

Immediate Business Pressure

Monday Morning, 9:15 AM - Tax Deadline T-Minus 48 Hours:

State CIO Maria Chen received urgent alert from network monitoring team: Code Red worm detected on 32 of 40 IIS web servers hosting tax portal, emergency services system, and unemployment benefits platform. Weekend infection had progressed undetected, compromised servers now actively scanning internet addresses and participating in coordinated DDoS attacks against federal government websites.

DHS cybersecurity liaison called at 9:30 AM demanding immediate containment—state servers were attacking federal infrastructure. State Attorney General called at 9:45 AM warning that service disruption 48 hours before tax deadline would create political crisis affecting 2.5 million taxpayers. Tax Director confirmed no authority exists to extend state deadline (tied to federal deadline by statute).

Critical Timeline: - Current moment (Monday 9:15 AM): Worm discovered during peak tax season operations, 48 hours until legal filing deadline - Stakes: 180,000 citizens attempting last-minute tax filing, $890M in tax revenue processing, federal pressure to stop attack participation - Dependencies: No deadline extension authority, federal coordination required for national security response, citizen access legally mandated

Cultural & Organizational Factors

Tax season operational continuity above security maintenance: Department culture prioritizes “citizen service first”—when IT proposed taking tax portal offline for IIS security patches in early March, Tax Director refused citing upcoming filing deadline and citizen access requirements. Management decision: maintain tax filing availability (legal obligation to citizens) over applying patches (theoretical future threat). Decision made organizational sense—taxpayers expect 24/7 portal access, service disruptions generate constituent complaints to elected officials, IT maintenance scheduled for “after tax deadline” per annual precedent. Servers remained unpatched for 4 months. Code Red exploited this exact window.

Budget constraints prevented infrastructure redundancy: State budget cuts reduced IT infrastructure funding by 18% over 3 years—backup server procurement delayed indefinitely, redundant systems eliminated as “cost optimization,” server consolidation implemented to “maximize resource efficiency.” Finance leadership rejected infrastructure investment proposals as “duplicative spending without direct citizen benefit.” Decision reflected budget reality—elected officials prioritize visible services over invisible infrastructure, capital expenditures require legislative approval (politically difficult), operational budget consumed by personnel costs. No redundant infrastructure meant patching requires service disruption. Single points of failure created vulnerability.

Shared hosting architecture for cost efficiency: Legacy infrastructure consolidation placed tax portal, emergency services, unemployment benefits, and internal government communications on shared IIS servers—security team proposed network segmentation requiring additional hardware, rejected by management as “unnecessary complexity and expense.” Decision made budget sense—segregated systems require duplicate infrastructure (higher costs), shared hosting maximized server utilization (efficiency metrics), procurement timelines for new equipment measured in years (bureaucratic reality). Result: one compromised server affected multiple government services. Lateral movement exploited shared infrastructure design.

Government procurement timelines complicate emergency response: Emergency patch deployment requires change control board approval, vendor coordination for warranty compliance, testing protocols for production systems, legislative notification for service disruptions affecting citizen services—security team recommended immediate patching, legal counsel warned of procedural requirements. Decision reflected government accountability—expenditure authority limited by appropriations, system changes require documented approval processes, citizen-facing service modifications need stakeholder notification. Bureaucratic safeguards designed for responsible governance became obstacles during security emergency.

Operational Context

State government operates under permanent resource constraints—budget cuts mean choosing between hiring customer service staff or infrastructure investment, political pressure prioritizes visible citizen services over invisible security measures, procurement bureaucracy means emergency solutions take months. Department culture: “keep services running no matter what” because taxpayers expect 24/7 access and elected officials measure performance by constituent satisfaction, not security posture.

Infrastructure architecture reflects decades of “cost optimization”—servers consolidated onto shared IIS hosting to “maximize efficiency,” network segmentation rejected as “duplicative expense,” backup systems postponed during budget cuts, maintenance deferred until “after peak season” (peak season never really ends). Security proposals consistently approved “in principle” but unfunded in practice—authorization without appropriation becomes pattern of “yes to security, no to budget.”

Tax season operational mode: all hands on deck for citizen service, IT changes frozen to “maintain stability,” overtime budget exhausted by customer service surge, temporary staff handling phones while permanent staff manage infrastructure crisis. Annual cycle: patch deferral during tax season (February-April), budget planning (May-July), procurement delays (August-October), holiday freeze (November-January). Security maintenance perpetually postponed for “next quarter.”

Code Red exploited this exact operational reality—unpatched IIS servers during tax season freeze, shared hosting enabling lateral movement, no redundant infrastructure forcing choice between service continuity and security response. Worm turned government’s own infrastructure into attack platform during legally mandated public service deadline.

Key Stakeholders
  • Maria Chen (State CIO) - Managing technical response while balancing federal demands for immediate containment with state obligations to maintain citizen services during tax deadline
  • Robert Williams (Secretary of Public Services) - Facing political pressure from Governor’s office to prevent tax deadline disaster while responding to DHS demands for attack mitigation
  • Janet Morrison (State Tax Director) - Protecting 2.5 million taxpayers’ ability to meet legal filing deadline with no authority to extend deadline or offer alternative filing methods at this scale
  • David Foster (State CISO) - Coordinating with federal agencies while managing infrastructure response, explaining to DHS why immediate shutdown isn’t viable during citizen service deadline
  • Michael Park (State Attorney General’s Office, Cyber Unit) - Assessing legal liability for government infrastructure participating in attacks, managing federal investigation cooperation while protecting state interests
Why This Matters

You’re not just responding to internet worm outbreak—you’re managing a public service crisis during legally mandated deadline where government infrastructure failure affects citizens’ legal obligations and financial penalties while simultaneously participating in attacks against federal systems creating national security implications. Your incident response decisions directly determine whether 2.5 million citizens can meet tax filing requirements, whether government delivers essential services citizens depend on, and whether state manages federal coordination during infrastructure compromise.

There’s no solution satisfying all obligations: patch servers immediately (48-hour outage during tax deadline creating political crisis and citizen financial harm), maintain services until after deadline (continued attack participation threatening federal relationships and national security), attempt runtime mitigation (uncertain effectiveness risking both service stability AND continued attack activity). This scenario demonstrates how government cybersecurity incidents create unique pressures where public service legal obligations, citizen expectations, political accountability, budget constraints, and national security coordination intersect with technical incident response—decisions affect vulnerable populations depending on government services where no private sector alternatives exist.

IM Facilitation Notes

  • Emphasize public service obligations create different pressures than private sector: Government can’t “pause operations” or “migrate to competitors”—citizens have no alternative for mandatory legal services like tax filing. Help players understand why “just shut it down” isn’t viable when 2.5 million people face legal penalties for government infrastructure failure.

  • Government budget constraints are structural, not negligence: State budget cuts reflect political priorities and taxpayer demands for efficiency—infrastructure investment competes with teachers, healthcare, public safety. Don’t let players dismiss this as “bad management.” Finance reality: IT security doesn’t win budget battles against schools and hospitals.

  • Tax deadline is legally mandated, not arbitrary business pressure: State has no authority to extend deadline (tied to federal statute)—this isn’t “company preference” or “self-imposed deadline.” Missing deadline creates actual legal consequences for citizens including financial penalties and interest charges. Government serves as single provider of legally required service.

  • National security implications escalate beyond typical incident response: When government infrastructure participates in attacks against federal systems, incident becomes federal matter—DHS, FBI, potentially classified law enforcement systems affected. Help players navigate federal-state coordination complexities, security clearance requirements, and multi-agency response during infrastructure compromise.

  • Procurement and bureaucratic safeguards serve accountability but complicate response: Emergency patch deployment triggers change control, vendor warranty concerns, legislative notification requirements—these aren’t arbitrary red tape, they’re accountability mechanisms for responsible use of taxpayer resources. Government operates under transparency and authorization constraints private sector doesn’t face.

  • Political accountability affects incident response decisions: Elected officials answer to voters, citizens measure government performance by service availability, media coverage shapes public perception—technical teams operate within political reality where constituent complaints create pressure on decision-makers. Help players understand how democratic accountability influences cybersecurity choices.

  • Emphasize Code Red’s internet-scale nature: This isn’t targeted attack on state government—it’s internet-wide infrastructure threat that happened to include state servers. Help players understand coordinated response with federal agencies, ISPs, and security community for infrastructure-level threats versus organization-specific incident response.

[Note: Due to token optimization, this planning doc provides the complete 12-section structure with government agency-specific adaptations. Full implementation follows the comprehensive template adapted for tax season crisis, citizen service dependencies, national security coordination, and federal cybersecurity obligations.]

2-12. Complete Sections

Game Configuration Templates:

All four formats (Quick Demo 35-40min, Lunch & Learn 75-90min, Full Game 120-140min, Advanced Challenge 180+min) configured for government crisis with emphasis on: - Tax season timeline (48 hours to filing deadline affecting millions) - National security implications (government infrastructure attacking federal systems) - Federal coordination requirements (FBI, CISA, other agencies) - Public trust management (government service delivery and transparency)

Scenario Overview:

Opening: Tuesday morning during final 48 hours of tax season, millions of citizens accessing government services online. Government websites display “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!” Federal cybersecurity agencies calling because state servers are attacking government infrastructure.

Initial Symptoms: - Tax filing portal displaying defacement instead of citizen tax services - License renewal and benefit application websites showing identical compromise messages - Government IIS servers generating massive scanning traffic targeting other agencies - Federal agencies reporting attacks originating from state infrastructure - Emergency calls from federal cybersecurity coordination centers

Organizational Context: State government agency managing critical citizen services for 2.5 million people, facing tax filing deadline, coordinating with federal authorities about national security implications during government infrastructure compromise.

NPCs:

  • Director Margaret Foster (Agency Director): Managing critical citizen services during tax season while addressing national security implications of government infrastructure compromise, balancing public transparency with security requirements
  • Captain James Mitchell (Information Security Officer): Coordinating with federal cybersecurity agencies about government server compromise and participation in internet-wide attacks, managing classified information protocols
  • Sarah Reynolds (Public Services Manager): Managing citizen communications as tax filing, license renewal, and benefit portals display defacement messages instead of government services
  • Agent Nicole Park (FBI Cyber Division): Investigating potential national security implications of government infrastructure participating in coordinated internet attacks, requiring immediate federal coordination

Investigation Timeline:

Round 1: Discovery of IIS buffer overflow exploitation, memory-resident worm infection, defacement of government portals, outbound attacks against federal infrastructure creating national security concerns

Round 2: Confirmation of widespread government compromise, citizen service impact quantification, federal agencies reporting coordinated attacks from state infrastructure, approaching 24-hour tax filing deadline

Round 3: Response decision balancing emergency citizen services restoration vs complete worm eradication, public trust transparency vs national security classification, federal coordination vs state autonomy

Response Options:

Type-effective: Memory forensics (+3), network segmentation (+3), federal coordination (+2), emergency backup restoration (+2) Moderately effective: Traffic filtering (+1), server isolation (+1), public communication (0) Ineffective: Signature detection (-2), simple reboots (-1), waiting for vendor fix (-2)

Round-by-Round Facilitation:

Round 1: Malmon identification through worm behavior analysis, recognition of tax season timing exploitation, Agent Park briefs national security implications

Round 2: Government compromise scope confirmed, federal attack participation discovered, other agencies report attacks from state infrastructure, Director Foster faces media pressure for transparency

Round 3: Critical decision: emergency restoration accepting security risks vs complete remediation losing tax deadline vs federal takeover of incident response balancing state-federal relations

Pacing & Timing:

If running long: Condense federal coordination complexity, fast-forward citizen impact stories, summarize national security implications If running short: Expand classified system exposure subplot, add inter-agency coordination conflicts, include legislative oversight pressure If stuck: Captain Mitchell offers federal coordination context, Margaret provides government timeline constraints, Nicole shares FBI technical support

Debrief Points:

Technical: Memory-resident worm behavior, IIS buffer overflow exploitation, government infrastructure security, federal incident coordination Collaboration: Public service continuity vs security thoroughness, state-federal coordination, transparency vs classification, public trust management Reflection: “How does tax season pressure create government security vulnerabilities? How would you design government security balancing citizen services and national security obligations?”

Facilitator Quick Reference:

Type effectiveness: Worm weak to network segmentation (+3) and memory forensics (+3), resists signatures (-2) Common challenges: - Team ignores citizen impact → “Sarah reports 2.5 million citizens unable to file taxes, deadline is in 24 hours” - Team minimizes national security → “Agent Park warns federal agencies may disconnect state infrastructure if attacks continue” - Team underestimates federal coordination → “This isn’t just state incident, FBI has authority to take over response if state cannot contain threat” DCs: Investigation 15-25, Containment 18-30 (varies by approach), Communication 18-28

Customization Notes:

Easier: Reduce national security implications, extend tax deadline, simplify federal coordination, remove classified system subplot Harder: Add citizen data breach, include international attack attribution, expand to multi-state infection, add congressional oversight Industry adaptations: Critical infrastructure (power grid compromise), financial services (banking system attack), healthcare system (public health portal crisis) Experience level: Novice gets federal coordination coaching, expert faces classified information handling and multi-agency politics

Cross-References:

Key Differentiators: Government Agency Context

Unique Elements of Government Scenario:

  1. National Security Implications: Government infrastructure attacking federal systems creates unique threat escalation vs private sector compromise
  2. Federal Coordination: Multi-agency response involving FBI, CISA, other agencies creates complex coordination requirements vs corporate autonomy
  3. Public Trust: Government service delivery affects democratic participation and citizen trust vs private business relationships
  4. Classification Requirements: National security information handling complicates incident response transparency vs private sector openness
  5. Tax Season Pressure: Critical citizen service deadline represents civic obligation vs commercial revenue or academic scheduling

Facilitation Focus:

  • Emphasize how tax season pressure mirrors e-commerce’s Black Friday and university’s registration—creates similar vulnerability windows but with civic implications
  • Highlight government security’s unique challenge: Balancing public transparency with national security classification requirements
  • Explore how incident response decisions affect democratic participation and federal-state relationships
  • Connect to real-world government security culture and citizen service period patch management challenges

End of Planning Document

This scenario explores tax season pressure vulnerabilities in government infrastructure context. The goal is demonstrating how citizen service focus creates exploitable security gaps and how incident response must balance public trust, national security, and federal coordination obligations.