Passwords for government networks written on sticky notes. A lack of basic cybersecurity. Requests to improve the system that went ignored. Employees sleeping on the job. Others who watched TV.
Emails released Tuesday by the state agency responsible for sending out the false missile alert that sent residents and visitors in Hawaii into a statewide panic Jan. 13 reveal an alarmingly relaxed work environment where warnings went ignored and employees were unsupervised.
The state released over 300 pages of emails — some of which are heavily or completely redacted — from the Hawaii Emergency Management Agency’s then-administrator Vern Miyagi and Maj. Gen. Arthur Joe Logan, and a handful from Brig. Gen. Kenneth Hara, who was appointed by the governor to review the response.
"It's an obvious statement we let the people of Hawaii down," an employee said in a lengthy email to Miyagi sent the day after the false alert fiasco. The employee then outlined perceived problems at Hawaii's State Warning Point that led to the error.
The employee, whose name is redacted, said that the emergency management agency had been resistant to workers inside the State Warning Point doing "work other than monitoring to ensure they are not distracted." However, the email added, "this has created an environment without stimulation that leads to other types of distractions."
Instead, employees watched "movies or tv shows" and at least once all three workers on duty were caught sleeping, the email said.
"Approximately two weeks ago, it was reported to me by a staff member who came in early that they observed all 3 SWP staff on shift asleep," the employee wrote. "The staff member said he wanted to address this with the personnel directly before going to the supervisor. I should have reported it."
The email also listed at least half a dozen instances in which the employee said they had alerted the agency about the need for a "deactivation" alert that could be sent after a ballistic missile warning to inform the public that there was no longer a threat.
"Though my request for a protocol was not based on a concern about human error, had the protocol been developed within the last 2 months, the delay yesterday would not have happened," the employee wrote.
The employee said that the need for a "deactivation" protocol had been brought up as early as Nov. 6, 2017 — nearly a month before the state implemented its alert system for a nuclear attack on Dec. 1. The employee faulted "an overall lack of prioritization and follow through that all of us let happen."
The employee also noted a lack of standardized training. Instead, most information was passed down during shift changes.
"I do not believe they receive standardized or recurrent training from official sources on updated policies or procedures," the email said about employees at the State Warning Point office. "It appears that new information is often shared during the shift change pass down. However, this allows for someone to omit or misinterpret information. My branch should be doing more drills to exercise them but we have not."
Another email, from the Federal Emergency Management Agency's branch chief for integrated public alert and warning system engineering, linked to an article in the far-right website Gateway Pundit about a photo of a Post-it Note with a password visible in the State Warning Point, under the subject line: "Is this real?"
Miyagi replied that "the password was for an application we use here at the office." He added that the Post-it Note "has been taken down" and the "password for the application has been changed."
The day after the false missile alert was sent, the state emergency management agency's then-executive officer Toby Clairmont, who, along with Miyagi, resigned following the incident, emailed his boss to ask if they could discuss restricting access to the State Warning Point center.
"I'd like to implement some restrictions (who may access and when)," Clairmont wrote, adding that people should only be allowed in with an escort.
After the false missile alert was sent, a two-person verification rule was implemented for sending an alert — a development that's noted in another email.
Another email noted updated security protocol put in place the day after the missile alert was sent to protect against "malicious cyber-attacks." The sender, whose name is redacted, said that they added a "multi-layered firewall security," "encrypted protocol for all secured communications," "two-factor authentication," and "mandatory cyber security awareness training."
Another email that appears to be from the employee who had the ability to send a correction alert wrote a detailed timeline of the events Jan. 13, noting that they could not reach Miyagi on either his work or personal phone in the aftermath of the false missile alert.
After 20 minutes, the employee decided with their supervisor to send a correction alert. The employee wrote that it then took 13 minutes to "boot up my work laptop at home," log in to the system "via an encrypted connection," and draft and send the correction.
A report completed by Hara in February cited a breakdown of communication between state officials as one of the agency failures in the incident.
Miyagi inquired in an email Jan. 26 about whether GETS, a credit-clearing software system, would have helped to deal with the phone lines being clogged and the redacted responder said that "text messaging is probably the most effective way to get through the congestion."
The unnamed worker who sent the false alert was eventually fired, but there appears to have been a lot of confusion about what happened to him and if he would speak to investigators. Eventually, the Hawaii Emergency Management Agency's operations chief emailed that the employee had called in sick for at least a week, making it impossible for investigator James Wiley, an FCC attorney visiting Honolulu from Washington, DC, to interview the employee.
It was previously reported that the unnamed employee had previously made other mistakes during a tsunami drill when he became "confused" and "froze," and that he was refusing to cooperate with the investigation. In an anonymous interview with NBC News, he said he was "not to blame in this," calling the false alert a "system failure."
On Jan. 25, Wiley sent an email asking if he could see a written statement from the unnamed employee, the existence of which he said he learned of from a HuffPost article. In a follow-up email the next day, Wiley wrote that "given news reports about this statement, it would be embarrassing for us not to be familiar with its contents."
The next email said the attached document was scanned and sent, but appears completely redacted, so it's not clear what the statement from the employee said.
The FCC said in a report released Jan. 30 that Hawaii officials had provided the employee's statement to them, but that it was never made public.