How the False Hawaii Missile Warning Could Have Happened
As the citizens of Hawaii came out of hiding in their bathtubs and basements Saturday morning, after learning that the emergency alert they had received, warning of an imminent nuclear missile attack, was a false alarm, their fear and panic transformed into rage.
“I’m extremely angry right now. People should lose their jobs if this was an error,” Hawaii State Representative Matt Lopresti told CNN.
Hawaii Senator Brian Schatz confirmed on Twitter that the alert, which said that a ballistic missile was inbound to Hawaii and urged people to seek shelter, was sent due to “human error.” The initial alert went out at 8:07 am, but it wasn’t until 8:43 am that the state sent a second alert, announcing it was a false alarm. Governor David Ige told CNN, “An employee pushed the wrong button.”
Could it really be that the emergency alert system is so simplistic, it only takes the twitch of a finger to send Hawaii into terror and chaos?
It’s possible, says Retired Admiral David Simpson, former chief of the Federal Communications Commission’s Public Safety and Homeland Security Bureau, who has been advocating for an improved emergency alert system for years.
The Integrated Public Alert and Warning System, or IPAWS, manages both the emergency alerts you get on your phone and the national emergency alert system, which broadcasts to television stations. According to Simpson, the system uses a web interface with multiple servers that cache preloaded messages about different types of emergencies, from states across the country.
“It’s a regular PC interface. This person probably had a mouse and a dropdown menu of the kind of alert messages you can send,” and selected the wrong one, Simpson says.
In a statement to WIRED, the Federal Emergency Management Agency, which operates IPAWS, said it is working with local authorities and the FCC to gather “more details to understand how this occurred and how to prevent such occurrences in the future.” FCC chairman Ajit Pai tweeted that the commission is investigating as well.
Those pre-loaded emergency alerts, scary as they may seem, are necessary, says Thomas Karako, a senior fellow at the Center for Strategic and International Studies. “It’s critical we have this kind of early warning system.”
Simpson agrees: “You don’t want to be in the middle of a attack on the US and have someone fumbling around with the message.” It’s also natural to conduct exercises to ensure the system is functioning. The problem in this case, Simpson says, is this state-run exercise doesn’t seem to follow the proper procedures laid out by the Department of Defense. The DoD runs similar exercises, but begins each test message with, “EXERCISE EXERCISE EXERCISE.”
“This was probably a state-run emergency exercise that doesn’t have the strong controls that DoD has learned the hard way from 50 years of screwing up,” Simpson says.
According to The New York Times, after the false alarm, Hawaii’s Emergency Management Agency put in two-step authentication to prevent this happening again.
Where Were the Feds?
In the event of an actual attack, the first government agency to initiate an alert would be the North American Air Defense Command, or NORAD, which is located in a cave in the Rocky Mountains in Colorado Springs. Open 24 hours a day, seven days a week, its staffers—known as watch standers—monitor a global network of sensors that can detect a missile launch. If it detects a missile en route to Hawaii, NORAD would send a message to Pacific Command, which would in turn alert the state emergency management center.
That’s why, says Simpson, the biggest question of all may be what the federal government was doing after the alert went out. The Emergency Alert System, which predated Wireless Emergency Alerts, was created with the specific goal of letting the president communicate with the country in the event of a nuclear attack. The US has spent billions of dollars maintaining this system, and yet, 38 minutes went by before Hawaii sent a second message, acknowledging the false alarm. The president, or any of the federal agencies with access to the emergency alert system, could have corrected the record much sooner.
“We paid big bucks to the DoD and provide very good capabilities to the president to communicate directly to the nation. Where’s the accountability there for not piping up immediately?” Simpson says. “I think that’s going to wind up ultimately being the scandal. Where were they with all of this?”
In a statement Saturday afternoon, White House deputy press secretary Lindsay Walters put the blame on Hawaii. “The President has been briefed on the state of Hawaii’s emergency management exercise. This was purely a state exercise.”
While numerous questions remain about what exactly triggered the alert and the federal government’s response, Hawaii’s excruciatingly long panic sends several clear messages about ways to improve IPAWS. Though all 50 states use it, not all local governments are part of the voluntary system, leaving some cities without a uniform way to alert their citizens of a local threat. And it’s possible not all emergency management centers are giving their staffers uniform, adequate training. In some cases, Simpson says, those emergency centers only staff up when a threat appears imminent.
“There’s nowhere near the professionalism there on the national security side of things,” Simpson says.
Perhaps the most critical issue this false alarm highlights is the need for a firewall between the test mode and live mode in the emergency response interface. In the DoD’s version of the system, Simpson says, that separation exists. It appears that was not the case in Hawaii.
As terrifying as this false alarm may have been, experts say it’s critical for governments to continue to test these systems so that they’re adequately prepared if and when the time comes to use them. During the wildfires in California last year, several counties declined to send alerts for fear of sowing panic, and instead, left their citizens wholly unprepared for the fires’ spread.
“My big fear is this has been such a bad experience states will be afraid to use alerting now. But the opposite should occur. They should get in and conduct tests and exercises,” Simpson says. “But do so using the right controls.”
Louise Matsakis contributed reporting.