NEWS

Hawaii emergency agency password photo shows why OPSEC is actually important

On Jan. 13, people in Hawaii were awakened by a terrifying false alert about an inbound missile. Hawaii's Emergency Management Agency has said a worker clicked the wrong item in a drop-down menu and sent it, and that its system was not hacked.


"It was a mistake made during a standard procedure at the changeover of a shift, and an employee pushed the wrong button," Gov. David Ige said.

But an Associated Press photo from July that recently resurfaced on Twitter has raised questions about the agency's cybersecurity practices.

In it, the agency's operations officer poses in front of a battery of screens. Attached to one is a password written on a Post-it note.

 

Computer, enhance:

 

An agency spokesman told Hawaii News Now that the password is authentic, and had been used for an "internal application" that he believed was no longer being used.

While these computers are unrelated to the system that sent the false missile alert, the photo raises questions about the approach to information security at the agency. (On the other screen, another note reminds the user to "SIGN OUT.")

Writing down passwords isn't a strict security no-no. Some experts say that keeping a hard copy of a password in your wallet is defensible — if you can keep the piece of paper secure. But a note on a monitor is not secure, especially if it's for computer systems dedicated to keeping people safe.

Also Read: The Hawaii worker who 'pressed the wrong button' has been reassigned

The photo has already drawn some ridicule from those in the operational-security industry.

Here's what the system that sent the false alert on Jan. 13 looks like: