Although many are apparently blaming the lowly technician whose pushing of a “wrong button” allegedly caused the false warning about an imminent nuclear missile attack which panicked more than a million Hawaiians for more than 30 minutes, the true culprits are those who designed a system making such a happening almost certain to occur.
Actually, the true immediate cause was his clearly foreseeable mistake in choosing from a confusing and poorly designed drop-down menu on a computer screen; a design and system which made such a happening almost inevitable, notes Professor John Banzhaf.
Good design much anticipate that people will make mistakes, and plan systems so that these foreseeable mistakes either will not occur or can be immediately corrected, says Banzhaf, who learned hacking in the 1950s while becoming an engineer at MIT, worked as a design engineer with 2 patents, was the first to get a copyright on a computer program, and designed his own award winning web site.
One very obvious example of negligent system design, which has now been recognized and allegedly corrected, was to have a system where one single employee could send out a warning with such severe consequences on his own. This is especially negligent since a technique for preventing any one employee from triggering a very serious event by himself was developed long ago to prevent the wrongful launching of missiles, for example.
Launching a missile always requires two different authorized persons to act together and at the same time, thereby preventing a launch by one individual; something which foreseeably could be caused not only by carelessness, but also by individual malice, temporary insanity, threats to that person's loved ones by criminals, and many other causes.
While the U.S.'s original missile-launch system required two different officers to turn their own keys in separate keyholes at the same time for a launch, the same fail-save principle could easily be applied to an emergency warning system controlled by computers.
This could be accomplished very easily and inexpensively by requiring at least two different authorized employees to each click on the same choice in a drop down menu on two different computers at the same time.
Another major design error, which would probably cause any student in an engineering design class to flunk or at least receive a stern admonishment, was not providing a mechanism which would permit a subsequent corrective message to be sent out virtually immediately if an original one was false.
Authorities blame their delay in sending out a second WAS (Wireless Emergency Alerts) - to alert the public that the initial warning was sent in error - on the need to carefully compose such a message, but this is not a valid excuse for at least two reasons.
First, since sending out a false missile warning by mistake or because of other causes is clearly foreseeable even though low in probability, such a message should have already been prepared and ready to be transmitted; a move which would have slashed the time Hawaiians were panicked by almost 30 minutes.
Second, an even more important reason is that authorities should be able to compose messages very quickly in response to many different events about which the public should be warned very quickly.
At this point the only pre-prepared warnings ready to be transmitted in Hawaii include, in addition to missile attacks and amber alerts, a tsunami, a landslide, and high surf.
But there are many other foreseeable events about which the public should be warned immediately. These would include biological attacks, radioactive fallout, a major terrorist threat, poisoning of the water supply, etc.
In the event of a real missile alert warning message, officials should also be able to send out appropriate followup messages using the same system. These might include messages that the missile has gone off course, crash landed but did not explode, that it was shot down, etc. In all such cases the public should obviously be alerted immediately, even if it requires composing a new message.
Although a WAS may contain no more than 90 characters, composing such warnings for unforeseen events as they happen should not be difficult for anyone used to posting Twitter messages or comments on many Internet message boards, both of which restrict the number of characters permitted.
For messages for radio stations and other recipients which may require audio, computer systems which read simple English messages in audio form are well tested and widely available.
A third clear system design error was failing to clearly and unambiguously differentiate the choices on the drop down menu so that mistakes of this kind become much more unlikely.
The current choices on the drop down menu are all in the same color and apparently in the same font, thereby making a mistake much more likely. This can be corrected very easily.
For example, when the medical community experienced a series of unnecessary deaths and near deaths from the administration of the wrong intravenous solution from hanging bags which were very similar in appearance, an effort was made to distinguish the medications - which may have similar and therefore easily confused medical names and may come in very different concentrations - by using different colors, designs, etc. on the bags to diminish the chances that a nurse will reach for the wrong one in an emergency.
Also, something which makes confusion and mistakes more likely is that the line on the computer drop down menu used to trigger a missile warning reads "(PACOM) (CDW) - State Only."
While employees authorized to operate the system should know that PACOM stands for the United States Pacific Command in Hawaii, and that CDW stands for Civil Defense Warning, some confusion and/or forgetfulness is clearly possible if not likely. This possibility is increased because there is another line in the menu which also refers to PACOM.
Non-negligent design would strongly suggest that, given the dire consequences of selecting the wrong menu item, the menu choice for the missile warning would very clear and easily distinguishable.
Something like "INCOMING MISSILE ALERT WARNING - USE GREAT CARE" would be unambiguous and clear distinguishable from the other menu choices, especially if it was the only menu item choice which occupied two (rather than only one) line, and it was in a different color and font.
Still another serious system design flaw is the use of what is described as a "a standard, confirmatory pop-up" which appeared on his computer asking whether the employee was sure he wanted to send the alert. In other words, he probably received a pop-up asking "Are You Sure" similar to the type all computer users received routinely, and which many click on immediately and often almost reflexively.
Given the gravity of a mistake in using the drop down menu, something much more and very different from a "a standard, confirmatory pop-up" is clearly required.
Rather than being asked something simple such as "Are You Sure," a well designed backup protection would probably say something such as "THIS IS VERY SERIOUS - ARE YOU ABSOLUTELY SURE YOU WISH TO SEND A MISSILE WARNING MESSAGE!"
Indeed, for the same reason, a second confirmatory message, perhaps reading "LAST CHANCE - A MISTAKE COULD BE CATASTROPHIC - ARE YOU SURE YOU WANT TO SEND THIS WARNING?" should probably also be required before the message is actually sent.
System designers must always assume that people will make mistakes, and design systems so that such mistakes will not lead to catastrophic consequences, says Banzhaf, who reminds us that good designers must always honor Murphy's law - "If Something Can Go Wrong, It Will!"
Thus good system designers must assume that something will in fact go wrong, at least over the long run, and design the system to be "fail safe" - to not fail because of easily anticipated problems.
JOHN F. BANZHAF III, B.S.E.E., J.D., Sc.D.
