Two senior civilian leaders of Hawaii’s Emergency Management Agency have resigned and a third has been fired as a result of the January 13 false alert that sent the entire state running for cover from a fictitious incoming missile.
Administrator Vern Miyagi and executive officer Toby Clairmont stepped down Tuesday after the FCC released its preliminary findings detailing the agency’s failures. In addition, the agency employee who actually sent the alert has been fired, according to reports.
FCC Prelim Report Hawaii Missile Alert – Download (PDF)
“A combination of human error and inadequate safeguards contributed to this false alert,” wrote James Wiley, an attorney advisor at the FCC’s Cybersecurity and Communications Reliability Division. “There were no procedures in place to prevent a single person from mistakenly sending a missile alert to the State of Hawaii. While such an alert addressed a matter of the utmost gravity, there was no requirement in place for a warning officer to double check with a colleague or get signoff from a supervisor before sending such an alert.”
The report said the mix-up happened after a midnight supervisor at the Hawaii Emergency Management Agency decided to conduct a spontaneous drill during a shift transition. The incoming day supervisor, however, was reportedly unaware the drill would involve any incoming day officers, who were then not told about the exercise.
The FCC’s report also uncovered problems with the agency’s alert origination software. According to Wiley, the software was incapable of differentiating between a live alert and a test or exercise alert. Hawaii’s alert origination software allowed users to send both live alerts and test alerts using the same interface, and the same log-in credentials, after clicking a button that simply confirmed ‘Are you sure you want to send this alert?’
“In other words, the confirmation prompt contained the same language, irrespective of whether the message was a test or an actual alert,” Wilely wrote in the FCC report. “The confirmation prompt also did not offer the officer another opportunity to review the text that is about to be sent. Further, Hawaii’s reliance on prepared templates stored in their alert origination software made it easy for a warning officer to click through the alert origination process without sufficient focus on the actual text of the alert message that he or she was about to send.”
According to the FCC, the common practice is to host the live alert production environment on a separate, user-selectable domain at the log-in screen, or through a separate application. Other alert origination software also appears to provide clear visual cues that distinguish the test environment from the live production environment, including the use of watermarks, color coding, and unique numbering.
“Every state and local government that originates alerts needs to learn from these mistakes,” said FCC Chairman Ajit Pai. “Each should ensure that it has adequate safeguards in place to prevent the transmission of false alerts, and each should have a plan in place for how to immediately correct a false alert. The public needs to be able to trust that when the government issues an emergency alert, it is indeed a credible alert. Otherwise, people won’t take alerts seriously and respond appropriately when a real emergency strikes and lives are on the line.”