Missile alert: The case for paranoia

Hawaiians received the ultimate scare and we still do not have a satisfactory explanation as to exactly what happened. From the WP:

Around 8:05 a.m., the Hawaii emergency employee initiated the internal test, according to a timeline released by the state. From a drop-down menu on a computer program, he saw two options: “Test missile alert” and “Missile alert.” He was supposed to choose the former; as much of the world now knows, he chose the latter, an initiation of a real-life missile alert.

“In this case, the operator selected the wrong menu option,” HEMA spokesman Richard Rapoza told The Washington Post on Sunday.

Around 8:07 a.m., an errant alert went out to scores of Hawaii residents and tourists on their cellphones: “BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.” A more detailed message scrolled across television screens in Hawaii, suggesting, “If you are indoors, stay indoors. If you are outdoors, seek immediate shelter in a building. Remain indoors well away from windows. If you are driving, pull safely to the side of the road and seek shelter in a building or lay on the floor.”

Question: Why did that message scroll across television screens in the absence of the familiar Emergency Broadcast System attention signal?

Part of what worsened the situation Saturday was that there was no system in place at the state emergency agency for correcting the error, Rapoza said. The state agency had standing permission through FEMA to use civil warning systems to send out the missile alert — but not to send out a subsequent false alarm alert, he said.

A "false alarm" message was sent, 38 minutes later. Why could it not have been sent earlier?

Call me irresponsible if you must, but I cannot easily believe what we're being told. An employee mistake? Sure, that part is credible enough -- but who in his right mind would design such a system? Who would put "Test missile alert" and "Missile alert" right next to each other on the same screen? The choice of "Missile alert" should have triggered a flashing red light and a brief confirmation dialogue box: Is this an actual real-world emergency?

Hawaiian authorities have assured us that the incident resulted from human error, and that no outside actors were involved. Perhaps that statement is true in this case. Nevertheless, there is no denying that, in the past, the government has lied about errors and accidents involving nuclear weapons.

Here is a list of 32 "Broken Arrow" events involving nuclear weapons. Many of these incidents remain mysterious. Here is a longer list of accidents involving nuclear materials (both here and elsewhere, including but not limited to weaponry). In most cases, the public was kept in the dark.

Special attention should go to the 1980 "Silo 7" incident in Arkansas. On that occasion, an accident involving a dropped socket wrench almost resulted in the deaths of millions. From a 2016 Salon article:

It’s not entirely fair to say that the near-catastrophe of 1980 was covered up. But Americans were not even remotely told the truth about how close we came to nuclear Armageddon in the heartland. In fact, when Mondale demanded to know whether the Damascus missile was armed with a nuclear warhead, the military initially refused to tell him. “In my book, I have a quote from someone who was in the room,” said author Eric Schlosser during a recent video interview in Salon’s New York office. “Mondale said, ‘Goddamn it, I’m the vice president of the United States! You should be able to tell me if there’s a nuclear warhead on this missile or not. Eventually they did.”

Question 1: If the nuclear authorities in Hawaii hid the truth about that false alert, would Trump and Pence even know?

Question 2: Is it truly so outlandish to ask if hackers gained access to the computer which flashed that emergency alert message?

Question 3: If hackers can tamper with the computers controlling our energy grid, why should we presume that that particular computer in Hawaii was beyond their reach?

Tampering with the grid has already occurred. From Wired, last September:

Security firm Symantec is warning that a series of recent hacker attacks not only compromised energy companies in the US and Europe but also resulted in the intruders gaining hands-on access to power grid operations—enough control that they could have induced blackouts on American soil at will.

Symantec on Wednesday revealed a new campaign of attacks by a group it is calling Dragonfly 2.0, which it says targeted dozens of energy companies in the spring and summer of this year. In more than 20 cases, Symantec says the hackers successfully gained access to the target companies’ networks. And at a handful of US power firms and at least one company in Turkey—none of which Symantec will name—their forensic analysis found that the hackers obtained what they call operational access: control of the interfaces power company engineers use to send actual commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into US homes and businesses.

Security firms like FireEye and Dragos have pinned those Ukrainian attacks on a hacker group known as Sandworm, believed to be based in Russia. But Symantec stopped short of blaming the more recent attacks on any country or even trying to explain the hackers' motives. Chien says the company has found no connections between Sandworm and the intrusions it has tracked. Nor has it directly connected the Dragonfly 2.0 campaign to the string of hacker intrusions at US power companies—including a Kansas nuclear facility—known as Palmetto Fusion, which unnamed officials revealed in July and later tied to Russia.

Yes, Sandworm was named after the monsters in Dune.

You may also want to contemplate this lovely story from last July:

Nuclear and other energy providers have been advised by the Department of Homeland Security and the FBI that hackers may be trying to breach their computer systems.

DHS said in a statement Friday that there is no threat to public safety. The agency said hackers appear to have tried to breach the business and administrative networks of the facilities. DHS did not identify the facilities.

Obviously, there is a vast difference between a nuclear energy facility and a computer system which sends out emergency alerts to the public. But from a technical point of view -- from a hacker's point of view -- is the difference really so vast?

The Drive -- a website devoted to cars and aviation -- veered into frightening territory last night when it published an article memorably titled "Get Ready For More False Alerts Stating That You Are About To Die." The author, Tyler Rogoway, is not a crank or a conspiracy theorist. His Twitter bio states that he is "Currently editor of Time Inc's The War Zone."

I hope that Mr. Rogoway won't mind extensive quotation of his work...

Shockwaves from this huge mistake are likely to ripple outward for months, but for now it serves as a stark reminder that false information and its relation to our smartphones doesn't just stop at "fake news" on Facebook.

America's enemies understand this very well and are very likely to take advantages in weaknesses in America's mobile networks to inject fear, mistrust, and confusion into the populace in the future. These are the lynchpins of Russia's "hybrid warfare" playbook and their campaign to affect America's political process during the 2016 election also sticks to these underlying tenets. Smartphones in particular are a ripe target for foreign actors, and especially Russia. American troops operating in Eastern Europe during recent military exercises had their smartphones repeatedly broken into and jammed with all sorts outcomes being witnessed. Other allied troops had constant messages sent to their phones.

The War Zone reported recently:

These reports match up almost word for word with information the Asymmetric Warfare Group collected regarding the ongoing conflict in Ukraine. The unit explained in its December 2016 handbook on Russian New Generation Warfare that the hybrid strategy had effectively blended electronic and cyber warfare with psychological operations to disrupt Ukrainian military activities.

“Electronic warfare devices allow Russian Forces to broadcast … messages directly against opposing Ukrainian forces as discussed earlier with cellular text messages,” the manual explained. “These can be very specific and directed at individuals, such as by threatening their wives and children by name, or generic and sent to entire units as was the case in Ukraine.”

More than twenty years ago, the U.S. Army War College was abuzz with similar ideas, which were then called the Revolution in Military Affairs. What we proposed, others have put into practice.

What's most concerning is that there have been countless examples in recent years of emergency broadcasting systems being hijacked or hacked by entities with nowhere near the power or the sophistication of a peer-state opponent or even a major international non-state actor. Many vectors exist for these attacks, and thankfully they have mainly been pranks, such as alerting certain regions to a potential zombie virus outbreak or the end of the world. Even setting off air raid sirens for hours at a time in a major metropolitan area has occurred. But the risk of far more harmful operations executed by international actors remains.

And that's really what's at stake here—the public's trust in their government's ability to accurately communicate with them when it matters most. Considering these systems are how the President is suppose to address the nation during a major emergency situation (not just video or audio, but even using texts!), if the zombie alerts or false missile attacks can pop up at any given time, what's to say that what they are even hearing from President is real?

And this is why undermining American's emergency broadcasting capabilities will be an increasingly attractive target to enemy states and actors—by breaking the public's faith in this most basic form of communication, it helps erode their greater confidence in their government as a whole.

And now, a word from Little Alex: Naturally, Alex Jones wants you to believe that the Hawaiian false alert was just another Clinton conspiracy designed to embarrass Trump. Apparently, the Clintons control the emergency alert system in Hawaii.

Seems to me that this incident would have improved Trump's image, if he had behaved responsibly. Trump could have tweeted a message re-assuring the populace; instead, he went on a Twitter tirade against a personal enemy. Worse, Trump initiated a golf game after the false alarm was flashed but before the "All Clear" message had officially gone out. Any other president would have canceled the game to go before the cameras.

All he needed to do was to look and sound presidential, but he couldn't manage even that. Trump has no-one to blame but himself.