As the citizens of Hawaii came out of hiding in their bathtubs and basements Saturday morning, after learning that the emergency alert they had received, warning of an imminent nuclear missile attack, was a false alarm, their fear and panic transformed into rage.
“I’m extremely angry right now. People should lose their jobs if this was an error,” Hawaii State Representative Matt Lopresti told CNN.
Hawaii Senator Brian Schatz confirmed on Twitter that the alert, which said that a ballistic missile was inbound to Hawaii and urged people to seek shelter, was sent due to “human error.” The initial alert went out at 8:07 am, but it wasn’t until 8:43 am that the state sent a second alert, announcing it was a false alarm. Governor David Ige told CNN, “An employee pushed the wrong button.”
Could it really be that the emergency alert system is so simplistic, it only takes the twitch of a finger to send Hawaii into terror and chaos?
Yes. During a press conference Saturday afternoon, the governor and officials at the Hawaii Emergency Management Agency confirmed that the blunder occurred during a twice-daily test that happens when staffers switch shifts. In this case, the staffer accidentally selected a live alert, instead of a test alert. After the alert went out, there was no way to automatically cancel or recall the message. Instead, they took to Twitter to tell the public the alert was a false alarm, but it took a full 38 minutes to manually generate and disseminate another corrective emergency alert that reached all Hawaiians. Officials said they’re now working on speeding up that feature.1
“We’ve already implemented some actions to speed up the process so the public would be notified faster,” Ige said.
The Integrated Public Alert and Warning System, or IPAWS, manages both the emergency alerts you get on your phone and the national emergency alert system, which broadcasts to television stations. According to Simpson, the system uses a web interface with multiple servers that cache preloaded messages about different types of emergencies, from states across the country.
“It’s a regular PC interface. This person probably had a mouse and a dropdown menu of the kind of alert messages you can send,” and selected the wrong one, Simpson says.
In a statement to WIRED, the Federal Emergency Management Agency, which operates IPAWS, said it is working with local authorities and the FCC to gather “more details to understand how this occurred and how to prevent such occurrences in the future.” FCC chairman Ajit Pai tweeted that the commission is investigating as well.
Those pre-loaded emergency alerts, scary as they may seem, are necessary, says Thomas Karako, a senior fellow at the Center for Strategic and International Studies. “It’s critical we have this kind of early warning system.”
Simpson agrees: “You don’t want to be in the middle of a attack on the US and have someone fumbling around with the message.” It’s also natural to conduct exercises to ensure the system is functioning. The problem in this case, Simpson says, is any exercise message should begin with the words, “EXERCISE EXERCISE EXERCISE.”
“This was probably a state-run emergency exercise that doesn’t have the strong controls that DoD has learned the hard way from 50 years of screwing up,” Simpson says.
Where Were the Feds?
In the event of an actual attack, the first government agency to initiate an alert would be the North American Air Defense Command, or NORAD, which is located in a cave in the Rocky Mountains in Colorado Springs. Open 24 hours a day, seven days a week, its staffers—known as watch standers—monitor a global network of sensors that can detect a missile launch. If it detects a missile en route to Hawaii, NORAD would send a message to Pacific Command, which would in turn alert the state emergency management center.
That’s why, says Simpson, the biggest question of all may be what the federal government was doing after the alert went out. The Emergency Alert System, which predated Wireless Emergency Alerts, was created with the specific goal of letting the president communicate with the country in the event of a nuclear attack. The US has spent billions of dollars maintaining this system, and yet, 38 minutes went by before Hawaii sent a second message, acknowledging the false alarm. The president, or any of the federal agencies with access to the emergency alert system, could have corrected the record much sooner.
“We paid big bucks to the DoD and provide very good capabilities to the president to communicate directly to the nation. Where’s the accountability there for not piping up immediately?” Simpson says. “I think that’s going to wind up ultimately being the scandal. Where were they with all of this?”
In a statement Saturday afternoon, White House deputy press secretary Lindsay Walters put the blame on Hawaii. “The President has been briefed on the state of Hawaii’s emergency management exercise. This was purely a state exercise.”
While numerous questions remain about the federal government’s response, Hawaii’s excruciatingly long panic sends several clear messages about ways to improve IPAWS. Though all 50 states use it, not all local governments are part of the voluntary system, leaving some cities without a uniform way to alert their citizens of a local threat. And it’s possible not all emergency management centers are giving their staffers uniform, adequate training. In some cases, Simpson says, those emergency centers only staff up when a threat appears imminent.
“There’s nowhere near the professionalism there on the national security side of things,” Simpson says.
Perhaps the most critical issue this false alarm highlights is the need for a firewall between the test mode and live mode in the emergency response interface. In the DoD’s version of the system, Simpson says, that separation exists. It appears that was not the case in Hawaii. The Hawaii emergency management officials also noted the obvious need for a better way to recall accidental messages.
As terrifying as this false alarm may have been, experts say it’s critical for governments to continue to test these systems so that they’re adequately prepared if and when the time comes to use them. During the wildfires in California last year, several counties declined to send alerts for fear of sowing panic, and instead, left their citizens wholly unprepared for the fires’ spread.
“My big fear is this has been such a bad experience states will be afraid to use alerting now. But the opposite should occur. They should get in and conduct tests and exercises,” Simpson says. “But do so using the right controls.”
Louise Matsakis contributed reporting.
1Story updated at 18:45 ET on Saturday, January 13 to include information from the press conference.