A preliminary report from the FCC has revealed additional details about the situation that caused a false missile threat alarm in Hawaii earlier this month. It really was human error, as initial reports indicated, but now the nature of that error (errors, really) is a bit clearer.
It was known that Hawaii’s Emergency Management Agency had planned to send a test alert to internal systems on the morning of the 13th, but that somehow this alert leaked out into the public communications systems.
The new report explains that the issue was not just a missed click, but several things:
- The test was meant to take place during the morning shift change, in order to be more confusing and keep workers on their toes.
- The morning supervisor thought that the outgoing evening supervisor meant to test the evening crew just getting off, not the day crew just coming on — so he wasn’t in the right place to keep an eye on the latter.
- The officers on morning duty received a recorded call purporting to come from US Pacific Command announcing an incoming missile, including the phrase “this is not a drill.” However, because it actually was a drill, this recording also had the phrase “exercise, exercise, exercise” at the beginning and end. Unfortunately, one officer at the EMA didn’t hear either repetition, and more unluckily, he was the one sitting at the terminal used to send out alerts.
- That officer sent out the alert, despite two other officers saying later that they knew it was a drill. But they either did not think to or had no time to interfere with the first before he sent out the alert. The supervisor, as mentioned before, was also not present.
So basically, we had a sort of comedy of errors that could very easily have been a tragedy. Obviously a major alert like this should have more than a dialog box as a safety mechanism to make sure it isn’t in error, or even set off by a rogue officer.
With respect to inadequate safeguards, most importantly, there were no procedures in place to prevent a single person from mistakenly sending a missile alert to the State of Hawaii. While such an alert addressed a matter of the utmost gravity, there was no requirement in place for a warning officer to double check with a colleague or get signoff from a supervisor before sending such an alert.
It is also troubling that Hawaii’s alert origination software did not differentiate between the testing environment and the live alert production environment. Hawaii’s alert origination software allowed users to send both live alerts and test alerts using the same interface, and the same log-in credentials, after clicking a button that simply confirmed “Are you sure you want to send this alert?” In other words, the confirmation prompt contained the same language, irrespective of whether the message was a test or an actual alert.
…Common industry practice is to host the live alert production environment on a separate, user-selectable domain at the log-in screen, or through a separate application. Other alert origination software also appears to provide clear visual cues that distinguish the test environment from the live production environment, including the use of watermarks, color coding, and unique numbering.
The Hawaii Emergency Management Agency had not anticipated the possibility of issuing a false alert and, as such, had failed to develop standard procedures for its response. It first sent out a correction using social media, rather than the same alerting systems that it used to transmit the false alert. Indeed, the agency was not immediately prepared to issue a correction using these systems. The agency also did not maintain redundant and effective means to communicate with key stakeholders during emergencies.
Fortunately both the FCC and Hawaiian authorities are looking into it, and have already taken the following steps:
It has created a new policy that supervisors must receive advance notice of all future drills. It will require two credentialed warning officers to sign in and validate the transmission of every alert and test. It has created a false alert correction template for Emergency Alert System and Wireless Emergency Alert system messages so that warning officers are more readily prepared to correct a false alert, should one ever occur again. It has requested that its alert origination software vendor integrate improvements into the next iteration of its software to more clearly delineate the test environment from the live production environment, helping to safeguard against false alerts.
Hawaiians can probably feel a bit safer, but of course the big problem is that any of this was possible in the first place with a system of such importance.