This article is more than 1 year old

FYI: That Hawaii missile alert was no UI blunder. Someone really thought the islands were toast

False text probe reveals screw up after screw up

Bunch of twits

A few minutes later, at 8.20am, some bright spark suggests using social media and the EMA posts on Facebook and Twitter that there is "NO missile threat to Hawaii." The governor retweets the message and soon after posts his own message on Facebook. But the vast majority of Hawaiians are still unaware that it is a false alarm and are in panic mode.

It's not until 8.27am – 20 minutes after the false alarm was issued – that the EMA decides it has to put out an alert using the same system it used to issue the warning –text messages to everyone's phones.

A supervisor logs into the system, but there is no template for a false alarm correction so he has to create one, get everyone's agreement that it is crystal clear, and then hit send. It finally goes out at 8.45am.

Overall "a combination of human error and inadequate safeguards contributed to this false alert," the report concludes.

It has a few observations: "Most importantly, there were no procedures in place to prevent a single person from mistakenly sending a missile alert to the State of Hawaii," it notes. Amazingly, there is – or was - no double-check system in place before a missile alert was sent to more than a million people.

The decision to run a no-notice live drill on a shift change is also met with raised eyebrows. "While other emergency management agencies use no-notice drills under special circumstances, their common practice is to schedule drills in advance for a set date and time," the report notes. In other words, whose stupid idea was that?

The report slams the fact that the software "did not differentiate between the testing environment and the live alert production environment" – the height of poor UI design. An operator is also able to send an alert by simply click "yes" on a single warning box. There are no additional login requirements.

Stupid

What's more, that exact same warning box, with the exact same language, appears when running a test. So there is little or nothing to indicate to an operator the gravity of what they are about to do.

The report notes: "Common industry practice is to host the live alert production environment on a separate, user-selectable domain at the log-in screen, or through a separate application. Other alert origination software also appears to provide clear visual cues that distinguish the test environment from the live production environment, including the use of watermarks, color coding, and unique numbering."

And then, of course, the fact that there was no way to quickly backtrack only made the situation worse. "The Hawaii Emergency Management Agency had not anticipated the possibility of issuing a false alert and, as such, had failed to develop standard procedures for its response," notes the report.

Oh, and in the aftermath of the mega-gaffe, it emerged that, during a press tour of the EMA's headquarters in 2017, sticky notes with passwords written on them were attached to agency computer monitors, and were clearly seen in Associated Press photographs.

In other words, the whole thing was an omni-shambles.

As to making sure this never happens again: all supervisors must now get advance notice of any tests; two warning officers will now be required to login and approve every alert or tests; and a false warning template has been created so if it all goes wrong again, at least people will only fear for their lives for about 10 minutes rather than 40 minutes.

The EMA will update its software to include much clearer signs that a warning officer is going to send a real live alert, and the agency will not run any more tests until its own investigation has concluded.

The FCC probe is not over – this was just a preliminary report – and it has recommended that several meetings between relevant parties should be held to discuss what can be learned from the abject failure of a critical system.

Still, on the plus side, there was no actual missile, and hundreds of thousands of people were not under immediate threat of death. Or were they? ®

More about

TIP US OFF

Send us news


Other stories you might like