Two-man rule

Sealed Authenticator System safe at a Missile launch control center with two crew locks

The two-man rule is a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule all access and actions requires the presence of two authorized people at all times.

Nuclear weapons

Per US Air Force Instruction (AFI) 91-104, "The Two Person Concept" is designed to prevent accidental or malicious launch of nuclear weapons by a single individual.

In the case of Minuteman missile launch crews, both operators must agree that the launch order is valid by comparing the authorization code in the launch order against a Sealed Authenticator (a special sealed envelope which holds the code). These Sealed Authenticators are stored in a safe which has two separate locks. Each operator has the key to only one lock, so neither can open the safe alone. Also, each operator has one of two launch keys; once the order is verified, they must insert the keys and turn them simultaneously. A total of four keys are thus required to initiate a launch. For additional protection, the missile crew in another Launch Control Center must do the same for the missiles to be launched. As a further precaution, the slots for the two launch keys are positioned far enough apart to make it impossible for one operator to reach both of them at once.

On a submarine, both the commanding officer and executive officer must agree that the order to launch is valid and then mutually authorize the launch with their operations personnel. Instead of another party who would confirm a missile launch as in the case of land-based ICBMs, the set of keys is distributed among the key personnel on the submarine and are kept in safes (each of these crew members has access only to his or her keys). Some keys are stored in special safes on board which are secured by combination locks. Nobody on board has the combination to open these safes; the unlock key comes as a part of the launch order from the higher authority.^[1]

Higher up, in the United States, the National Command Authority comprising the President and Secretary of Defense must jointly issue the order to use nuclear weapons to the Chairman of the Joint Chiefs of Staff.^[2] Usually, the two-man rule is also backed up with hardware and software measures including command code verification and command keys.

Journalist Ron Rosenbaum has pointed out that, once the order is issued, the process is entirely concerned with authenticating the identity of the commanding officers and the authenticity of the order, and there are no safeguards to verify that the order or the person issuing it is actually sane.^[3] Notably, Major Harold Hering was discharged from the Air Force for asking the question, "How can I know that an order I receive to launch my missiles came from a sane President?"^[3]

Cryptographic material

Two-person integrity (TPI) is the security measure taken to prevent single-person access to COMSEC keying material and cryptographic manuals. TPI is accomplished as follows:^[4]

• The constant presence of two authorized persons when COMSEC material is being handled;^[4]
• The use of two combination locks on security containers used to store COMSEC material; and^[4]
• The use of two locking devices and a physical barrier for the equipment.^[4]

At no time can one person have in his or her possession the combinations or keys to gain lone access to a security container or cryptographic equipment containing COMSEC material. Neither can one person have sole possession of COMSEC material that requires TPI security.^[4]

No-lone zone

A no-lone zone is an area that must be staffed by two or more qualified or cleared individuals. Each individual must be within visual contact with each other and in visual contact with the critical component that requires a no-lone-zone area designation. A no-lone zone may contain a cryptographic component, weapon system hardware under test, a nuclear weapon or active nuclear weapon controls.

In the USAF concerning critical weapons, it is a zone in which the presence of a single individual is prohibited. The two-person concept (or policy) is in effect in which two individuals, knowledgeable of the task to be performed, and capable of detecting an incorrect or unauthorized procedure on the part of the other in reference to the task being performed.

Other uses

The two-man rule is used in other safety critical applications where the presence of two people is required before a potentially hazardous operation can be performed. This is common safety practice in, e.g., laboratories and machine shops. In such a context, the additional security may be less important than the fact that if one individual is injured the other can call for help. As another example, firefighters operating in a hazardous environment (i.e. interior structure fire, HAZMAT zone, also known as IDLH) function as a team of at least 2 or more personnel. There are commonly more than one team in the same environment, but each team operates as a unit. Some software systems enforce a "two-man rule" whereby certain actions (for example, money wire transfers) can only take place if approved by two authorized users.

Dual keys require the authorization of two separate parties before a particular action is taken. The simplest form of dual key security is a lock that requires two keys to unlock it. The two keys would be in the possession of two separate persons. The lock could only be opened if both parties agreed to open it and at the same time. Canada accepted having American W-40 nuclear warheads under dual key control on Canadian soil in 1963 to be used on the Canadian BOMARC missiles.

In business, the four-eye principle "means that all business decisions and transactions need approval from the CEO and CFO. Since the CFO is not reporting to the CEO, there is an independent controlling mechanism in place." ^[5]

Similarly, many banks implement some variant of the two-man rule to secure large sums of money and valuable items. Under this concept, unlocking the vault requires two individuals with different keys if the vault is secured by a key lock system. For bank vaults secured by combination lock, one individual will know half of the combination and a second person will know the remaining half. At no point will either person know the other person's half of the lock combination, requiring both persons to be physically present in order to unlock the vault.

As an extension of the broader rationale for the "two-man rule", regulations for some companies or not-for-profit organizations may require signatures of two executives on checks. These rules make it harder for an individual acting alone to defraud the organization.

In popular culture

In the film The Hunt for Red October, when Captain Ramius takes the dead political officer's missile key, a fellow officer, the ship's doctor, requests that he have the key, using the two-man rule as his reason, saying "The reason for having two missile keys is so that no one man may arm the missiles."

The two-man rule was crucial in the movie Crimson Tide when the captain and the executive officer of the USS Alabama disagreed over the release of nuclear weapons.

In the Tom Clancy novel The Sum of All Fears President Robert Fowler and Jack Ryan, as Deputy Director of the Central Intelligence Agency, were the two men that were authorized to issue a nuclear launch order against a city thought to be harboring a terrorist leader. Ryan refused to validate the launch order and the nuclear attack is aborted. Ryan was serving as the second man because the Secretary of Defense was killed in a terrorist attack.

In the film WarGames, two missile officers are given a launch order, leading to one drawing his sidearm on the other when the latter refuses to turn his launch key. Unknown to them, the attack was a simulation and this incident (as well as a significant rate of similar refusals among other missile crews) sets up the basis of the movie, in which the Department of Defense replaces the two-man system with the WOPR computer to prevent a future refusal to launch. This is parodied in The Bee Movie as a decision to shut down honey production in a hive.

Similar to WarGames, in Command & Conquer: Red Alert 2 one officer pulls a gun on the second officer when given the command to launch nuclear missiles. However, this is not due to a disagreement, but due to direct mind control.

In the film Salt, the President together with the Secretary of Defense verified the authentication codes alternately to launch nuclear weapons from the nuclear football inside the Presidential Emergency Operations Center.

The Star Trek franchise depicts the two-man rule and other similar variations in critical situations, often concerning arming or cancelling a ship's self-destruct mechanism. Some variants require the authorization of three senior officers (Star Trek III: The Search for Spock, Star Trek: First Contact), others just the commanding and executive officers (Star Trek: The Next Generation episodes "11001001" and "Where Silence Has Lease", Star Trek: Deep Space Nine episode "The Adversary"). All depictions include voice authorization of the officers involved, while the two-man variant also involved a hand print identification.

In Infinity Ward's game Call of Duty: Modern Warfare 3, the main character uses a similar two-man key to launch a hijacked Russian submarine's missiles against its own fleet.

In "Torch of Freedom" by Eric Flint, the nuclear self-destruct device for an important installation requires at least two people to activate. Nonetheless, one person gains access to all the necessary codes and is able to activate the device.

In the first episode of the ABC series Last Resort captain Marcus Chaplin and XO Sam Kendal perform a two-man launch procedure, prior to questioning the attack order.

See also

• Buddy system
• Fail-deadly
• Permissive Action Link (PAL)
• Segregation of duties
• Shamir's Secret Sharing

References

General

• U.S. National Park Service article on Minuteman missile launch control centers, with details on operation
• U.S. DOD nuclear weapons recovery manual with reference to two-man rule