The false missile alert that was sent out from emergency management personnel in Hawaii last week sparked an initial public panic, national outrage, global media coverage and numerous government investigations. Official inquiries are ongoing and many more reports are coming, but what do we know so far? Here are the details and some of the lessons that we can take away.
On Dec. 7, 1941, at about 8 a.m. on a quiet Sunday morning, Hawaii was hit by an overwhelming surprise attack at Pearl Harbor. This incident became a pivotal moment in history and propelled the United States into World War II. Looking back, the Hawaiian people, the government and the nation as a whole were not prepared for the incidents that occurred on a “date which will live in infamy.”
On Jan. 13, 2018, at about 8 a.m. on a quiet Saturday morning, an emergency alert was sent out to the Hawaiian public via multiple media channels. The message stated that another catastrophic attack was about to strike Hawaii. Thankfully, as we all know now, that message turned out to be a false alarm. Nevertheless, the Hawaiian people, the government and the nation as a whole were not properly prepared for the incident that occurred.
What Happened? What Went Wrong?
There are numerous reports about the events that occurred in Hawaii on Saturday, Jan. 13.
According to CNN, Hawaii had been running tests in order to prepare for a potential nuclear strike from North Korea since early December 2017, by testing sirens and performing other emergency management exercises.
New York magazine described the events this way:
“The mistake started while a shift change was under way on Saturday morning in the bunker headquarters of the Hawaii Emergency Management Agency (HEMA). During a routine test of the state’s emergency and wireless-emergency alert systems, a state employee selected “missile alert” instead of “test missile alert” from a drop-down menu in the agency’s alert-system software, then confirmed his incorrect selection with another click.
Because of that human error, at roughly 8:07 a.m. local time, the false ballistic-missile alert was sent out to mobile phones across the state, and a longer version of the same pre-written warning was automatically broadcast on the state’s television and radio stations. No outdoor sirens were triggered by the alert, as they are part of a separate system, but some military bases voluntarily activated their sirens in response to the alarm anyway. …”
The New York Times reported that: “Officials said the alert was the result of human error and not the work of hackers or a foreign government. The mistake occurred during a shift-change drill that takes place three times a day at the emergency command post, according to Richard Rapoza, a spokesman for the agency.
“Someone clicked the wrong thing on the computer,” he said.
State officials said that the agency and the governor began posting notices on Facebook and Twitter announcing the mistake, but that a flaw in the alert system delayed sending out a cellphone correction. As a result, they said a “cancellation template” would be created to make it easier to fix mistaken alerts. A new procedure was instituted Saturday requiring two people to sign off before any such alert is sent.
The public reaction was all over the map, with some public panic reported. The LA Times told this personal story:
It was a nice morning on the Big Island of Hawaii as Kevin and Pamela Spitze drove to an art show in Hilo when the words popped up on Kevin’s cellphone screen:
“BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER.”
Then it added for emphasis: “THIS IS NOT A DRILL.”
The Spitzes, who recently moved from Los Angeles to Hawaii’s Big Island, said they were in paradise but already had been living on edge given the recent inflammatory bluster between President Trump and North Korean leader Kim Jong Un over nuclear annihilation. “We have such a barrage of negative stuff that has been happening that our senses have been heightened,” said Pamela Spitze, 64. “We thought it was the real thing. We are very concerned.”
For nearly 40 nail-biting minutes, so were millions of other Hawaii residents and vacationers. Video emerged of adults removing manhole covers and lowering children into sewers in a desperate attempt to escape a ballistic missile hurtling their way. People broke into tears, told relatives they loved them and scattered back to their homes and hotels, unsure what to do next.
Finally, at 8:48 a.m., 38 minutes after the alerts went out, authorities announced it was a false alarm, a mistake, simply human error.
Why So Long to Cancel the Alert?
OK, an honest mistake was made. But why did it take so long to tell everyone that a mistake was made?
According to The Huffington Post:
A hearing with Hawaii lawmakers on Friday revealed that Gov. David Ige knew last weekend’s missile alert was a false alarm two minutes after it was broadcast across the state, but didn’t notify the public of it until 15 minutes later.
The false alert was triggered at 8:07 a.m. on Jan. 13. Maj. Gen. Arthur “Joe” Logan told state legislators that he personally called Ige to let him know that Hawaii was not facing a missile threat at 8:09 a.m.
It wasn’t until 8:24 a.m. that the governor’s office publicly acknowledged the mistake by retweeting the Hawaii Emergency Management Agency, with the added note, “There is NO missile threat. ...”
The first person to notify the public of the emergency agency’s mistake appears to be a 17-year-old who was able to call state emergency officials immediately after receiving the alert.
The high school student, William Heyler, told local news station KHON2 that he decided to check in with the agency after he noticed that there were no sirens to accompany the alarm. Within five minutes of the alert, Heyler talked to an official and tweeted that it was a mistake. His tweet went out at 8:12 a.m.
Five Lessons Learned
There are dozens of current articles offering potential lessons learned with many more to come. Here are some of my initial thoughts.
First, and perhaps the most important lesson, is that much better system protections must be put in place nationwide to prevent such warnings from being inadvertently issued again. It was far too easy for this mistake to happen. Although this was human error, that Hawaii Emergency Management Agency staff member should never have been able to make that simple mistake. This was (at least partially) a system design mistake.
All state and local emergency management agencies nationwide, as well as support groups (including private-sector technology partners), should be examining their people training, alert processes and system technology to drastically reduce the likelihood that such false alerts ever happen again.
Politico elaborated on this lesson by saying that state emergency management systems need to make it much more difficult to have a false alert — just as the military has learned over decades in their exercises. They point out that no inadvertent missile launches or major false alarms have come from the military, since they have many more protections in place.
Second, several potential cybersecurity lessons emerged from this incident, even though this false alert was caused by human error and not the result of a cyberattack. Business Insider ran this story about a picture from Hawaii’s emergency management agency showing a password posted on a yellow sticky note by the computer.
There was initial fear of false alerts being issued (or other actions occurring) as the result of a cyberattack or hacking incident, and these emergency management pictures do not instill more confidence.
The system access to these mission-critical emergency management systems should be examined nationwide, along with security risk assessments being performed. Now that these systems and processes have been highlighted on global media, I have no doubt that hackers are trying to gain unauthorized access to cause harm.
Third, Maryland counties highlighted the need to protect emergency alert contact information lists.
“While the cause in this particular incident was human error, it is also critical for states and local governments to protect their emergency contact information. As part of their 2018 legislative initiatives, both MACo and the Maryland Municipal League are introducing legislation to prohibit the release of an individual’s personal contact information (street address, email address, or telephone number) under the Maryland Public Information Act where that information was solely provided or gathered to create an alert, notice, or news distribution list. This prevents residents from being spammed with unwanted messages, or worse, false alerts that are made to look like official notices. MACo believes this makes sense from both a security and privacy perspective.”
Fourth, the FCC and other state and federal organizations such as DHS are re-examining their communication processes and procedures for nationwide emergency alerts. All government agencies involved in emergency planning and response can benefit from this review process.
This review should involve communication between organizations before, during and after such incidents. There are many other national plans that may also be affected, and this should prompt reviews of wider emergency planning and response efforts. For example, had this been a cyberattack, would the National Cyber Incident Response Plan (NCIRP) have worked well?
This incident led to many questions being asked, such as: Should the president make an immediate statement? Who contacts who in such timely emergencies? Who needs to be contacted, and when? What steps should have been taken to respond after mistakes are made?
Fifth, even though these events happened in many unwanted ways, this incident should be studied closely from various perspectives. What actually happened in detail? Who made what decisions, and when?
As The Atlantic Magazine’s Wong notes:
“This is probably going to be the single greatest learning experience that any state has ever had in trying to figure out how to respond to an immediate threat,” [state representative Chris Lee] said, noting that the emergency system has never been tested like it was on Saturday. Now, he said, all the researchers and scientists and government officials designing disaster plans have a huge “treasure trove of data about what really works, how people respond, how we can save infinitely more lives than we could in the past.”
How can the federal government, state emergency management personnel, local response agencies and the general public make lemonade out of this lemon? By taking notice and ensuring that the same mistakes are not made again. Hopefully, this incident will be an alert-process wakeup call for the country. We must all respond appropriately.
No doubt, the next mistakes (or human errors) will be different in various ways, so we must look broader than just one particular scenario. Many people all over the country (and world) are now asking: What if that happened here? What would we do?
Hopefully, as NBC News points out, this can become a teachable moment for all of us.
Finally, I realize that comparing this to the attack on Pearl Harbor will be viewed as a big stretch by many. Nevertheless, some of the similarities are striking. My hope is that the analogy will bring more action. Will we learn from history and better prepare? Only time will tell.
I’d like to close with this question: What will you do differently after this warning?