A smartphone screen capture showing a false incoming ballistic missile emergency alert sent from the Hawaii Emergency Management Agency system.

A smartphone screen capture showing a false incoming ballistic missile emergency alert sent from the Hawaii Emergency Management Agency system. Jennifer Kelleher/AP

How FEMA Could Help Avoid Another Missile Alert Mishap

State and local authorities are responsible for sending and rescinding alerts, but FEMA can—and says it will—require the underlying infrastructure be more user-friendly.

The federal agency tasked with managing emergency response nationwide was not at fault for an erroneous emergency alert in January that falsely warned of a missile inbound for Hawaii, according to an inspector general report. However, federal officials could do more to prevent and mitigate the effects of such mistakes in the future, investigators said.

On Jan. 13, panic spread throughout the state of Hawaii after the local emergency management agency, HI-EMA, sent a statewide alert of an incoming ballistic missile on course to strike the islands and urging residents to take shelter immediately. Hawaiian officials said the alert was supposed to be part of an internal test of the system that accidentally went wide and ended with, “This is not a drill.”

Hawaiians were left in a state of fear and uncertainty for almost 40 minutes as state officials worked to retract and correct the false alarm. Ultimately, it was federal officials who suggested HI-EMA send out an additional notice stating clearly that there was no imminent threat.

The messages were sent over a federally-managed infrastructure system known as the Integrated Public Alert and Warning System, or IPAWS. The Federal Emergency Management Agency provides the backbone for this system. However, FEMA does not provide the actual applications that states and localities use to write and send those alerts over the IPAWS network.

“Although FEMA maintains IPAWS as a messaging platform, state and local alerting authorities must obtain commercially-available emergency alert software to generate a message which passes through IPAWS for authentication and delivery,” the IG wrote in its report. “While FEMA provides overall support to the 1,030 alerting authorities on how to access and use IPAWS, it does not play a major role in the actual sending or canceling of alerts,” investigators added later in the document.

This is as intended, according to FEMA, as the federal employees who manage the system wouldn’t know that an alert was wrong without intimate knowledge of the emergency—something only officials on the ground would know in a timely manner.

FEMA does prescribe standards for the apps that are used to ensure they are secure and work with the IPAWS system. But when it comes to the ability to preview, edit or cancel alerts, FEMA only includes these as best practices rather than requirements.

The IG also noted FEMA requirements do not include a mandate for vendors to train state officials on how to use their applications, leading to further problems, the report states.

Investigators made two recommendations:

  • Require software vendors to include critical functions in their proprietary emergency alerting software that FEMA previously identified and communicated in 2015 and 2018.
  • Require software vendors to provide training on system functionality and capabilities to alerting authorities.

The agency agreed in full with both recommendations and has already begun to take action to include both provisions in an updated memorandum of understanding states and localities must sign in order to use the IPAWS infrastructure.