BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.
That horrifying message was tweeted to the cell phones of hundreds of thousands of terrified Hawaiians and tourists on January 13, 2018. Panic ensued as citizens ran for whatever shelter they could find. Yet after a few hours it has clear that this dire warning was a false alarm. Still this incident left in its wake a wave of damaged government reputations and public mistrust. Forensic investigators have since evaluated that monstrous mistake and made some recommendations. According to the FCC and Homeland Security Bureau preliminary report issued on January 30, the erroneous alert was the result of “human error and inadequate safeguards.”
That tweet could have been avoided or nullified immediately if Hawaii's emergency management agency had implemented a social media risk management platform such as Social Safeguard. Specifically, Social Safeguard is designed to evaluate both incoming and outgoing messaging across multiple messaging and social media channels in real time and quarantine any message that violates pre-define policy rules until the message can be properly reviewed and clear by an appropriate level of authority In this case, the agency would have prevented the panic by utilizing these controls and other inputs to confirm that the tweet was not accurate, causing it to be terminated before it could ever be broadcast.
Preventing Fake Emergency Alerts: Three Critical Steps Needed
The Hawaiian incident does not just represent an isolated example of a well-intentioned individual run amok, but rather serves as a wake-up call that lack of adequate controls around critical communications (e.g. Emergency Management) can leave large groups of citizens at risk of pandemonium, mass casualties and other catastrophic outcomes stemming from false alarms and other misinformation.
|Social Safeguard provides comprehensive surveillance of social media risk|
These types of risk scenarios can be avoided or significantly mitigated by implementing appropriate real-time message surveillance and supervision across all outbound communications and social media channels , whether by an agency or company. Public agencies, Emergency Management Alert (EMA) organizations, and other large organizations need to take three steps to prevent false alerts. The first step relates to the overall design of the emergency alert process. The second, to protecting the social media channels that carry alerts to millions of people from ATO (account take over). The third, from fake accounts that impersonate those agency accounts.
STEP 1 - Redesigning the system for better control
In the broadest sense, public agencies and companies with crisis risk need to improve the processes and safeguards for emergency notifications of all kinds—weather, natural disasters, terrorist threats, acts of war and others.
One of the steps should include looking at the overall design of the EMA system. For instance, in addition to miscommunication, it appears the proximate cause of the Hawaiian error lies in the use of a drop-down style menu. The console operator clicked a “live” drop-down item that read “PACOM (CDW) STATE ONLY” instead of the very similar entry that read “DRILL – PACOM (CDW) STATE ONLY.” Redesigning the EMA software is only one aspect of what needs to be done.
For example, just as two-man control is used to minimize the possibility of launching nuclear weapons in error, a two-man control protocol should be established by those responsible for activating emergency alerts—for those people who actually “push the button” that delivers the message to the public. Both parties must play an equal, active role in validating the emergency alert message before it can be issued. Neither party simply “confirms” the actions of the other party. Both must perform specific, independent actions to validate the emergency alert.
Official public messaging should only be issued following a clearly defined, secure review and approval process. Agencies need to articulate policy-based rules and guidelines to govern approval and the release of all messaging from the most trivial and routine to most serious public notifications.
Further a redesigned system should be such that:
- Agencies need to articulate policy-based rules and guidelines that govern approval and the release of all messaging from the most trivial/routine responses to most serious public notifications (e.g. nuclear alert)
- All public agency communications/messaging should be subject to review for said policy compliance before release
- Policy-based supervision should be instituted such that all outgoing messages can be monitored and reviewed in automated fashion to assure compliance with communications policy and approvals. Ideally this supervision should be instrumented across all messaging and social media channels (SMS, Twitter, Facebook, EMA web site, and others) and run in real time so as to be minimally invasive to normal communications and operations
- The supervisory policy engine should be capable of evaluating messaging for "critical impact" based on keywords, phrases, and/or sentiment
- Policy rules shall be in place to flag/quarantine "critical impact" messages, and any message from non-authorized issuers - essentially taking down the message until approve
As the FCC and Homeland Security Bureau continue their investigation, it's reasonable to expect they will establish guidelines such as implementing platforms like Social Safeguard that offer a second layer of protection, so just one click is enough to prevent false alarms through social media. Such messaging should be approached as part of a secure and accountable release process, as opposed to the ad hoc actions of individual contributors as was the case in Hawaii.
IN PART II (Link), we will explore STEPS 2 & 3 - account takeovers and other attacks, and the impact of fake accounts that can undermine the integrity of an agency's or organization's controls in social media.
Kevin Walter is a Senior Product Management professional and an industry expert in Information Management and Governance.
The solution to immediately gain better control and security over your social media channels is available with the Social SafeGuard platform. If your organization plays a role in alerting the public to emergency situations or you are concerned about crisis management in digital or social media, contact Social SafeGuard to learn how you may already be under attack and to request a free social media audit.