If US Central Command Can Be Hacked, What’s Your Protection?

It appears that the Twitter and YouTube accounts of US Central Command were hacked yesterday by folks sympathetic to Islamic terrorists. While that’s disturbing in and of itself, for us it raises an interesting issue about the use of social media for emergency alerts.

Many emergency responders and public safety agencies are using Twitter and Facebook, in addition to other tools such as Hyper-Reach, to send out emergency alerts.  (Indeed, Hyper-Reach has social media integration to make it easier to send out alerts that way.)

And, because emergency notification providers such as Hyper-Reach understand that false emergency alert messages can create panic among the public and other potential disruptions, we know how important security is. So we have sophisticated functions to protect against hacking.  In addition, there is a certain benefit to being less conspicuous than a Twitter or Facebook when it comes to avoiding a cyber attack.

But if US Central Command’s Twitter account can be hacked, so can yours. Which means that people who are following your Twitter feeds and see a false emergency alert may potentially be led astray and do something that is contrary to their interests or safety.

Obviously, good password management is important. And it is likely that Twitter, Facebook, YouTube and other social media will continue to enhance their security. But this hack attack on US Central Command is a good cautionary tale to remind public safety agencies that use social media for emergency alerts, as well as other emergency alert services, that security is important and should be maintained for every system that is used to communicate to the public.

Mass Emergency Notification Systems – Perfect for the Cloud

Here’s an article about how Asheville, NC (one of our favorite cities) is moving many of their disaster recovery systems to the cloud.

According to the article (and this makes perfect sense), officials there are trying to mitigate risk by putting distance between Asheville and the location of critical data processing functions so that a local disaster doesn’t take out those processes. An interesting note about this article is that the Asheville folks decided not to use regional data centers because they felt the business model of those data centers required oversubscription. So in an emergency too many people would be trying to use the services provided by those data centers.

Since there are still a handful of communities that use emergency notification systems that operate on local computer networks, we thought this would be a good time to point out how valuable cloud-based emergency notification is.

Using Hyper-Reach as an example, we operate three data centers that are strategically spread around the country, and we deliberately maintain a low average utilization rate so that there is plenty of capacity when a community needs to use our services in high volume. As a result, if there is a local disaster that would interrupt computer services, Hyper-Reach’s service would still be available for mass notification.


IPAWS/WEA: CMAText vs. Canned Messages

We’ve written on this topic before, but it never hurts to reiterate the message and push for change.

A recent story from West Virginia illustrates the risk of standard WEA (Wireless Emergency Alert) messages.  (To be fair, we’re assuming the offending messages were not CMAtext, which are basically free form text messages).

To quote the story:

“Cell phone users received a message advising them to “evacuate now”.  The message was incomplete, lacking a specific location and details on what sparked the evacuation order.  The same, vague message was received multiple times by some residents, hours after the fire was extinguished and there was no longer a risk of danger.”

This is exactly the issue we discussed in November.  Standard WEA messages often use the phrase “In this area” to tell message recipients the location of an emergency, and rely on the geographical selection of the broadcast area, which is a function of of two factors: the IPAWS originating software and the method used by the cell phone carriers to pick the cell towers from which the message is broadcast.  But “in this area” is pretty vague to many people – including people quoted by the story.

We won’t guess at why the message was received  multiple times by some folks.  But this isn’t the first time that issue has been raised.

That training that is required of Originating Authorities (the people who can send messages) doesn’t discuss the effectiveness of message wording.  So public safety people who use IPAWS may find that the messages they send don’t work the way they expected.

We still think that IPAWS is a great tool.  And many people are using CMAText, which lets you choose the specific wording you want.  But as IPAWS and WEA become more common, it’s going to be incumbent on users of the system to understand what effective communication means in the context of the 90 characters that WEA messages allow.

Roaches to the rescue!

Imagine yourself trapped in a building after a strong earthquake blocks the exits or maybe you’re stuck in the attic during a flood. At some point, some form of panic will set in. You’ll wonder if you will be rescued. Will the building collapse before help comes? What if the waters continue to rise and I drown in my attic?! The thoughts swirl a hundred miles an hour around your head and hope begins to fade.

You quietly whisper your last prayers when you hear a faint hissing sound. Is it the sound of death?! Suddenly a swarm of Madagascar hissing cockroaches enter your place of captivity from all cracks and corners. Things couldn’t get worse! They approach quickly and begin crawling over your feet and body. You do your best to knock them off while screaming frantically with the hopes that Death comes quickly! Unexpectedly, you notice something different about these roaches. There’s something attached to them. You swallow hard, pinch one of them, and examine its small looking backpack. Then, you hear human voices! You’ve been found and realize the tiny backpacks are tracking devices.

Researchers have a hopeful future for our creepy, crawly house mates! “One day, when people see a cockroach, they’ll be relieved instead of repulsed.” Alper Bozkurt, an engineering professor, believes that we can use cockroaches during emergency situations to save lives. He may be a little optimistic thinking that people – even those in dire need of saving – will be welcoming our critter friends with open arms.

Australian Benchmark for Emergency Alert Success

We just came across this report, entitled “Bushfire In Australia”, which discusses how to prepare folks in Australia for wildfires near homes in the bush country.   Since wildfires are common in the western US, we thought it was interesting.  And this quote caught our eye:

According to the BRCIM 2014 Annual Report (Bushfire Royal Commission Implementation Monitor, 2014) the Emergency Alert (EA) has been used by emergency services across Australia for 1,277 campaigns to send almost 11 million warning messages with an overall success rate of 67 per cent. Since its release in October 2013, the LBS has been used in seven jurisdictions for 176 campaigns to send in excess of one million warning messages with an average delivery success rate of 94 per cent.

By Emergency Alert, they mean something similar to the Hyper-Reach and other systems in the US.  As described, it seems that these are run by the telephone companies down under.

The LBS system sounds a little like WEA (Wireless Emergency Alerts), although the system apparently sends individual SMS messages, as described:

The Emergency Alert (EA) system has been operational since December 2009, with subsequent version upgrades. It has two capabilities to send warning messages to those in areas at risk:
1. Location Based Number Store (LBNS) that delivers voice messages to landlines and text messages to mobile phones based on the registered service address in Australia, and
2. Location Based Solution (LBS) that delivers text messages to mobiles based on the last known location of the handset.
LBNS applies to all customers of the three Australian network providers, Telstra, Optus and VHA, within their areas of coverage, including international visitors roaming on the three networks.

Two items stand out:

  1. First, the delivery to landline and mobile phones based on service address has a success rate of about 67%.
  2. Second, using “last known address” for mobile phones has a success rate of about 94%.

This makes a lot of sense to us.  Calling a landline means calling a device which is often separated from the human target you want t communicate with (e.g., they’re not home.)  Since people usually have their mobile phone with them, texting the mobile directly is going to be much more effective.


Fake Emergency Alert Messages – Serious Threat or Passing Annoyance?

This article from Johnson County, Wyoming raises some interesting issues.

It seems that residents have been getting fake calls that appear to be “emergency alert” calls from the county.  But it’s unclear what the motive for the calls is.  The article says the calls become garbled, then cut out.  So other than annoying folks, it’s hard to see what these calls will accomplish.

But the assurances from the county don’t give us a warm and fuzzy, either.

First, the article tells us that all real calls will start with “This is a CodeRED alert”.  But if the calls can start with “This is Johnson County”, it’s not hard to imagine the culprits changing that message to “This is a CodeRED alert.”

Second, the article tells us that the caller ID for real calls will end in “5000” (probably).  Again, that’s not hard to do.  Faking a caller ID is pretty easy.  And there are thousands of phone numbers that can end in “5000”.  For the past few months, I’ve been getting illegal automated calls that have my area code and exchange so they look like local calls.  And we’ve talked to friends who’ve gotten similar calls.

Still, despite the fact that hackers could probably fake emergency alert calls pretty easily, it’s not obvious that they’d bother.  Making calls on the public phone network costs money – lots of money when compared with emails and other Internet messaging – and a scammer has to find a way to get a return on their investment.

These fake calls are a concern.  And we’re glad people report this kind of activity.  But it’s too soon to tell if the calls are a serious problem.  Hopefully – once the perpetrators find that this activity is not profitable – they will simply stop.


Interesting Source of Creative Inspiration

We just came across the Earth Manual Project, a website that “aims to gather examples of excellent disaster preparedness innovation from all over the world and put them to productive future use.”

The website is more oriented to Asia (the authors seem to be primarily Japanese) and it gets most of its inspiration from developing countries.  But as a source of creative ideas in getting the public prepared for emergencies, that difference in perspective could be helpful for public safety folks in the US.  For example, one page discusses how camping – something many Americans are fond of – is one of the most popular ways to get people interested in emergency preparations.

We think this is an interesting website and worth at least 10 minutes of review.  And we’ll keep an eye on it and highlight things we think are interesting and potentially useful.


Digital conversations can be an effective tool in emergency situations.

Emergency management agencies are using social media (Twitter, Facebook, etc.) to get information out during emergencies. So we think it’s important to follow what influential institutions are doing in this area. Last month, the United Nations office of the Coordination of Humanitarian Affairs published a report about hashtag standardization, primarily discussing the social media platform, Twitter. It is important, first, to know that a hashtag must contain the pound sign (#) with some sort of phrase immediately following. The hashtag allows for digital conversations to be had on Twitter and can organize topic-related tweets. According to the document, “the public is using Twitter for real-time information exchange and for expressing emotional support during a variety of crises, such as wildfires, earthquakes, floods, hurricanes, political protests, mass shootings, and communicable-disease tracking.” The important and most effective feature about Twitter is that it allows real-time information to be public within seconds. For emergency responders, tweets and other social media posts help responders organize more effectively and track where the most need is during and immediately following a crisis. One of the case studies from the report is Super Typhoon Haiyan in the Philippines (2013). Within the first 48 hours after Super Typhoon Haiyan’s landfall, nearly 230,000 tweets were published internationally containing a situationally relevant hashtag. From those tweets, over 600 written messages and 180 images were identified containing actionable information for emergency response planning. These messages included evidence of affected areas, as well as logistics planning information such as road closures, downed power lines and shelter locations. Digital humanitarians from the Standby Volunteer Taskforce triangulated and published this information to live crisis maps to assist aid workers in-country, sometimes even before the responders reached the Philippines. The effectiveness and importance of using Twitter has become widespread around the world. It has become essential for getting reliable and up-to-the-minute information out to the public. That’s why Hyper-Reach includes a fully-integrated Twitter and Facebook component in its emergency messaging application and continues to explore how else to help responders get information out to the public using social media.

Small Changes in Wording Can Mean Big Changes in Behavior

This article in the NY Times is about workplace discrimination, but skip to the eighth paragraph or so, and you’ll find reference to a fascinating bit of research, in which a message to keep people from stealing petrified wood in a national forest backfired at first (theft went up 60%), then dropped to less than half of the original rate – all by changing a few sentences.

Marketing people understand the impact of small changes in message delivery very well.  I once worked at a company that spent hundreds of thousands of dollars testing the impact of using red, green or blue postcards (the blue worked best).

Why should public safety folks care about these things?  Because these examples – and many others in social science literature – demonstrate that how a message is delivered can make a dramatic difference in what people do in response to that message.

As a communicator, you want your messages to be effective, both in getting the public to prepare (for example, by signing up for emergency alerts), and in responding to emergency situations (e.g. shelter-in-place.)

Public safety folks don’t have thousands of dollars to spend on sophisticated market research, but you can use this insight to your advantage in at least three ways:

  1. Be aware that wording matters.  Pay attention to how you word your messaging, and always make a best effort;
  2. Pay attention to your results.  Did the public “get it” when you sent out your message?
  3. Find out what others are doing.  See what others think works or fails to work.

There are basic principles you can follow, and we’ll write about these in future posts.  For example, messages that suggest that other people are complying are usually more effective than messages that complain about people not doing what you want them to do.

But the first step is just to be aware.  You’ll be surprised how much more effective you can be.


The Importance of Simplicity in Emergency Alerts

Some emergency alert systems are designed with simplicity as a priority.  Others were designed to have lots of features and may have sacrificed simplicity for the sake of added functionality. The best systems offer lots of capability while keeping their systems simple and easy to use.

Two recent news stories reminded us why the system should favor simplicity whenever possible.

First, there’s this story from Wake Forest, NC in which thousands of residents were called to notify them that they were behind on their utility payments and their power was scheduled to be disconnected.  Instead of the 232 folks for whom the message was meant, it went to almost everyone in town.  To compound things, a follow up message to try and clear things up went out as late as 1AM.

Then, there’s this story from Horry County, SC in which a message about a murder suspect was confusing, and missing important information.  As the story says, “About 110,000 people got the message that left out the specific location, the agency, and had the wrong person’s name.”

In both cases, the agencies involved said they would re-train their people to make sure proper procedures are followed.  And of course, that’s a good idea.

Another good idea is to use a system that’s so simple, mistakes are difficult to make.  Hyper-Reach uses a simple three-step process that makes sending a message a snap.  It’s so simple, that users of other systems tell us that it’s the easiest, fastest, simplest system they have seen.

We’re not claiming that no one has ever made an error using Hyper-Reach.  But we’ve been providing our system for the past 12 years, so we can say that our experience shows.