An expert explains just how convoluted the system that tells us if we’re in danger really is.
For 38 minutes on January 13, residents and tourists in Hawaii scrambled to react to a terrifying emergency alert on their phones that read: “BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.”
It was a false alarm — Hawaii’s Emergency Management Agency tweeted 15 minutes later that there was no incoming missile — but it took nearly 40 minutes for officials to send out another message through the emergency alert system rescinding the warning.
Hawaiian authorities have said that the mistake was a matter of human error: An official just clicked the wrong link on their computer screen. But the fact that one person’s errant mouse click led to panic made a lot of people wonder: Just how reliable is the country’s emergency alert system, anyway? If that could happen in Hawaii, could it happen in Washington, DC? How does this whole thing even work?
To find out, I contacted retired Rear Adm. David Simpson, who served as the chief of the Federal Communications Commission’s Public Safety and Homeland Security Bureau from 2013 to 2017. He’s seen firsthand how the federal government works with states, local communities, and broadcasters to disseminate alerts about natural and man-made disasters.
It turns out that the US’s emergency management alert system is actually made up of a bunch of separate systems, many of which are underfunded. This means that many emergency officials are working with unsophisticated software, which can lead to mistakes like the one in Hawaii.
A lightly edited transcript of my conversation with Simpson follows.
So what’s supposed to happen if a missile is actually shot at, say, Hawaii? Walk me through the process.
The first thing that happens is, within seconds, we detect a launch using our infrared satellites orbiting the Earth, because of the heat associated with a ballistic missile launch. They immediately begin to identify the type of missile it is, and determine from its trajectory where it’s headed.
After that’s been determined, US Northern Command — which has responsibility for defense of the homeland — works closely with US Pacific Command, which is responsible for defending against threats coming out of North Korea. They confer with US Strategic Command, which would be responsible for any retaliatory response, and make sure that all three commands are on the same page.
They then bring in the Federal Emergency Management Agency (FEMA) — which makes a secure phone call to the emergency operation center for the target state, in this case, Hawaii. Hawaiian authorities generate a message — one that they’ve created a pre-worded template for. They send that message back up to the federal level.
That message is then distributed through the integrated public alert warning system and emergency alert system, which includes broadcasters and road signs, digital billboards, and things like that.
My guess is when most people think of an alert because of an incoming ballistic missile, they think of the Pentagon or the Department of Homeland Security. I bet they don’t really think of the Federal Communications Commission (FCC). What’s the FCC’s role in all of this?
The FCC sets the technical rules that broadcasters, TV, radio, and wireless providers have to comply with, should they decide they want to participate in the emergency alert systems.
The FCC’s role is making sure that those 30,000 commercial companies all are able to do this consistently and with a high degree of reliability.
We seem to have a convoluted, distributed system where each state is responsible for its own emergency alerts. And on top of that, there is a whole federal process.
How did it get this way?
The states are all part of the same system: the Integrated Public Alert [and] Warning System.
Congress decided, in the IPAWS Modernization Act, to go to an open architecture, which lets multiple vendors compete to develop software for state emergency operations centers.
I don’t think it’s a bad thing that there’s variation. It means that communities can really select a system that meets their particular needs. A very rural county might focus on something different than an urban area. It also might have a different budget.
The key thing to remember is that the variation in those systems are coupled with a desire by the states to pay the very least that they have to for them.
So there are variations in the systems that states and other communities use. Do they vary in how they operate, too?
In some states, the EOCs (emergency operations centers) are manned 24 hours a day, 365 days a year. In other states, the EOC is only manned when there’s a natural or man-made disaster.
But now that 50 states and six territories are within range of North Korean missiles, we should ask if there need to be new standards for those EOCs to operate 24/7.
So, just to be clear, there are certain states that have EOCs that aren’t operational all the time, even though they could be targets of a ballistic missile attack?
Yes, including some large states.
So let’s say state X doesn’t have a 24/7 emergency operations center. Would there be a warning delay if there’s an incoming threat?
There could be.
But I’m somewhat confident that there is a designated person or agency in each area to pick up the phone, should the call come. But the point is, there wouldn’t necessarily be the activated EOC to receive that call.
Hawaii by itself doesn’t have the ability to track incoming ballistic missiles, but it does have the ability to initiate an emergency alert about ballistic missiles. Isn’t that an odd setup?
It’s really something we should question. But the reasons for the states to have the ability to send alerts are good, solid reasons.
The system was designed, originally, at the national level to issue warnings. But it became clear very quickly that there was some benefit for states and local communities to issue emergency warnings, too. The thinking is that states are in a better position to fully understand local emergencies and issue the appropriate warnings to their jurisdictions.
But states have no organic means of detecting an inbound ballistic missile. They are entirely dependent on a call from the Defense Department — or actually FEMA, embedded within the Defense Department operations center — about whether or not a missile is inbound.
I think we should be looking at whether or not we should give the responsibility for warnings to the operations center — federal or local — that has the best ability to say if a ballistic missile threat is real or not.
Let’s say all the communications work well, and everyone is informed quickly. In some places, like Hawaii, there really isn’t anywhere for people to hide from a ballistic missile attack.
Who’s responsible for setting up a shelter system: the local community or the federal government?
Both, but the federal government provides a one-size-fits-all kind of solution, while states and local communities know their populations best.
They would know, for example, if, there’s a championship football game happening and there are hundreds or thousands of people in that stadium. If we send that stadium the warning now, we’re going to lose 10 people as they rush to the exits.
So there are local factors that are important to keep in mind when communicating that information. And that includes what to do in the moment, but also what to do as you prepare and increase the readiness of communities to take action.
So how long does it usually take from launch to alerting the targeted area?
I don’t want to be too technical with regard to that, because we get into some classified elements there.
But let’s say within a minute, the Pentagon should have been able to identify the kind of missile and have a state-level understanding of where it’s headed.
That will continue to be refined. But the call, once the attack assessment is done, that can be tens of seconds to the targeted area. We can put out the message and disseminate it to their phone systems in about three seconds.
It’s a different system for the broadcasters — it takes about a minute or two for the emergency tones to beep on the TV.
How do we ensure that a mistake like Hawaii doesn’t happen again?
First of all, humans are part of this system — and we have yet to design a system to ensure that humans don’t make errors. You can reduce the possibility with a better user interface, and you can certainly add in checks and balances, like two-person authentication before a message is sent. But many of those protocols would slow things down.
So we need ask what protocols can rapidly allow for the right checks and balances associated with an incoming threat.
You might want to have an exercise computer and a real threat computer so that you physically would have to go to a different system to issue the real alert. There are also a number of controls that could be designed into the user interface.
But as you mentioned before, states do not spend much money on these systems, so is there any hope that improvements will be made?
It is a budget issue, and improvement won’t just happen magically. It really requires some design work and a dedicated program.
I really would like to see the Department of Homeland Security and Department of Defense step up more. There should be a call for action beyond just the jurisdiction of the FCC.