Two-man rule
The two-man rule is a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule all access and actions requires the presence of two authorized people at all times.
Nuclear weapons
Per US Air Force Instruction (AFI) 91-104, "The Two-Person Concept" is designed to prevent accidental or malicious launch of nuclear weapons by a single individual.[1]
In the case of Minuteman missile launch crews, once a launch order is received, both operators must agree that it is valid by comparing the authorization code in the order against a Sealed Authenticator (a special sealed envelope which holds the code). These Sealed Authenticators are stored in a safe which has two separate locks. Each operator has the key to only one lock, so neither can open the safe alone. Also, each operator has one of two launch keys; once the order is verified, they must insert the keys in slots on the control panel and turn them simultaneously. A total of four keys are thus required to initiate a launch. For additional protection, the missile crew in another launch control center must do the same for the missiles to be launched. As a further precaution, the slots for the two launch keys are positioned far enough apart to make it impossible for one operator to reach both of them at once.
On a submarine, both the commanding officer and executive officer must agree that the order to launch is valid and then mutually authorize the launch with their operations personnel. Instead of another party who would confirm a missile launch as in the case of land-based ICBMs, the set of keys is distributed among the key personnel on the submarine and are kept in safes (each of these crew members has access only to his keys). Some keys are stored in special safes on board which are secured by combination locks. Nobody on board has the combination to open these safes; the unlock key comes as a part of the launch order (Emergency Action Message) from the higher authority.[2]
Journalist Ron Rosenbaum has pointed out that, once the order is issued, the process is entirely concerned with authenticating the identity of the commanding officers and the authenticity of the order, and there are no safeguards to verify that the order or the person issuing it is actually sane.[3] Notably, Major Harold Hering was discharged from the Air Force for asking the question, "How can I know that an order I receive to launch my missiles came from a sane President?"[3]
Cryptographic material
Two-person integrity (TPI) is the security measure taken to prevent single-person access to COMSEC keying material and cryptographic manuals. TPI is accomplished as follows:[4]
- The constant presence of two authorized persons when COMSEC material is being handled;[4]
- The use of two combination locks on security containers used to store COMSEC material; and[4]
- The use of two locking devices and a physical barrier for the equipment.[4]
At no time can one person have in his or her possession the combinations or keys to gain lone access to a security container or cryptographic equipment containing COMSEC material. Neither can one person have sole possession of COMSEC material that requires TPI security.[4]
No-lone zone
A no-lone zone is an area that must be staffed by two or more qualified or cleared individuals. Each individual must be within visual contact with each other and in visual contact with the critical component that requires a no-lone-zone area designation. A no-lone zone may contain a cryptographic component, weapon system hardware under test, a nuclear weapon or active nuclear weapon controls.
In the USAF policy concerning critical weapons, a no-lone zone is an area in which the presence of a single individual is prohibited. The two-person concept requires the presence of two individuals knowledgeable of the task to be performed, and capable of detecting an incorrect or unauthorized procedure on the part of the other regarding the task being performed.
Other uses
The two-man rule is used in other safety critical applications where the presence of two people is required before a potentially hazardous operation can be performed. This is common safety practice in, for example, laboratories and machine shops. In such a context, the additional security may be less important than the fact that if one individual is injured the other can call for help. As another example, firefighters operating in a hazardous environment (i.e. interior structure fire, HAZMAT zone, also known as IDLH, or Immediately Dangerous to Life or Health) function as a team of at least 2 or more personnel. There are commonly more than one team in the same environment, but each team operates as a unit.
Dual keys require the authorization of two separate parties before a particular action is taken. The simplest form of dual key security is a lock that requires two keys to unlock it. The two keys would be in the possession of two separate persons. The lock could only be opened if both parties agreed to open it and at the same time. In 1963, Canada accepted having American W-40 nuclear warheads under dual key control on Canadian soil, to be used on the Canadian BOMARC missiles.
In business, the four-eye principle means that "all business decisions and transactions need approval from the CEO and CFO. Since the CFO is not reporting to the CEO, there is an independent controlling mechanism in place".[5]
Similarly, many banks implement some variant of the two-man rule to secure large sums of money and valuable items. Under this concept, unlocking the vault requires two individuals with different keys if the vault is secured by a key lock system. For bank vaults secured by combination lock, one individual will know half of the combination and a second person will know the remaining half. At no point will either person know the other person's half of the lock combination, requiring both persons to be physically present in order to unlock the vault.
As an extension of the broader rationale for the "two-man rule", regulations for some companies or not-for-profit organizations may require signatures of two executives on checks. These rules make it harder for an individual acting alone to defraud the organization.
Some software systems enforce a two-man rule whereby certain actions (for example, funds wire transfers) can only take place if approved by two authorized users. This helps prevent expensive errors, and makes it more difficult to commit fraud or embezzlement. While such requirements are common in financial systems, they are also used in controls for critical infrastructure, such as nuclear reactors for electrical power generation, and dangerous operations, such as biohazard research facilities.
Civilian aircraft
In late March 2015 many national aviation authorities and/or airlines made the cockpits of aircraft in flight mandatory "two-man" or "no-lone zones" as a result of the Germanwings Flight 9525 crash.[6][7][8][9][10] Early on in the investigation of that crash, it was believed from the cockpit voice recorder audio, and later supported by flight data recorder information, that the co-pilot deliberately crashed the aircraft after locking the cockpit door when the chief pilot left to use the toilet.[11]
In popular culture
In the film The Hunt for Red October, when Captain Ramius takes the dead political officer's missile key, a fellow officer, the ship's doctor, requests that he have the key, using the two-man rule as his reason, saying "The reason for having two missile keys is so that no one man may arm the missiles."
The two-man rule was crucial in the movie Crimson Tide when the captain and the executive officer of the USS Alabama disagreed over the release of nuclear weapons.
In the Tom Clancy novel The Sum of All Fears President Robert Fowler and Jack Ryan, as Deputy Director of the Central Intelligence Agency, were the two men that were authorized to issue a nuclear launch order against a city thought to be harboring a terrorist leader. Ryan refused to validate the launch order and the nuclear attack is aborted. Ryan was serving as the second man because the Secretary of Defense was killed in a terrorist attack.
In the film WarGames, two missile officers are given a launch order, leading to one drawing his sidearm on the other when the latter refuses to turn his launch key. Unknown to them, the attack was a simulation and this incident (as well as a significant rate of similar refusals among other missile crews) sets up the basis of the movie, in which the Department of Defense replaces the two-man system with the WOPR computer to prevent a future refusal to launch. This is parodied in Bee Movie as a decision to shut down honey production in a hive.
Similar to WarGames, in the computer game Command & Conquer: Red Alert 2 one officer pulls a gun on the second officer when given the command to launch nuclear missiles. However, this is not due to a disagreement, but due to direct mind control.
The Star Trek franchise depicts the two-man rule and other similar variations in critical situations, often concerning arming or cancelling a ship's self-destruct mechanism (except for Star Trek: Voyager in which only the Captain's authorization was required). Some variants require the authorization of three senior officers (Star Trek III: The Search for Spock, Star Trek: First Contact), others just the commanding and executive officers (Star Trek: The Next Generation episodes "11001001" and "Where Silence Has Lease", Star Trek: Deep Space Nine episode "The Adversary"). All depictions include voice authorization of the officers involved, while the two-man variant also involved a hand print identification.
In Torch of Freedom by Eric Flint, the nuclear self-destruct device for an important installation requires at least two people to activate. Nonetheless, one person gains access to all the necessary codes and is able to activate the device.
In the first episode of the ABC series Last Resort captain Marcus Chaplin and XO Sam Kendal perform a two-man launch procedure, prior to questioning the attack order.
In The Day After, the United States initiates a missile attack against the Soviet Union. This includes a complete two-person LGM-30 Minuteman missile launch sequence.
In Pixar's Inside Out animation movie, the father's personified emotions initiate punishment for Riley's misbehavior using a two-man rule system to arm a trigger for "putting the foot down".
See also
References
- ↑ Maj Gen Margaret H. Woodward (April 23, 2013). "AIR FORCE INSTRUCTION 91-104" (PDF-136 KB). p. 2. Retrieved March 16, 2015 – via Federation of American Scientists @ fas.org.
- ↑ Waller, Douglas C. (March 4, 2001). "Practicing For Doomsday". TIME. p. 3. Retrieved March 16, 2015. Extract from: Waller, Douglas C. (2001) Big Red: Three Months On Board a Trident Nuclear Submarine, Harper Collins Publishers Inc. ISBN 9-780-060-19484-0
- 1 2 Rosenbaum, Ron (February 28, 2011) "An Unsung Hero of the Nuclear Age - Maj. Harold Hering and the forbidden question that cost him his career" slate.com. Retrieved February 13, 2012
- 1 2 3 4 5 "Two-person integrity" tpub.com, pp. 3-9 & 3-10
- ↑ Hason, Fay (December 2002). "Pushing Global Growth". Business Finance. Retrieved 2007-02-21.
- ↑ "Germanwings Flight 4U9525: Canadian airlines told to have 2 people in the cockpit". CBC News. 27 March 2015. Retrieved 27 March 2015.
- ↑ Cooke, Henry (27 March 2015). "CAA changes cockpit policy following Germanwings crash". Fairfax New Zealand. Retrieved 27 March 2015.
- ↑ "Germanwings Crash: How the Aviation Industry Has Reacted". The Wall Street Journal. 27 March 2015. Retrieved 27 March 2015.
- ↑ "'Rule of two': Australia to require two in a cockpit at all times in wake of Germanwings tragedy". The Sydney Morning Herald. 30 March 2015. Retrieved 30 March 2015.
- ↑ "EASA recommends minimum two crew in the cockpit". EASA. 27 March 2015. Retrieved 28 March 2015.
- ↑ "Germanwings crash: Co-pilot Lubitz 'accelerated descent'". BBC News. 3 April 2015.
- General
- U.S. National Park Service article on Minuteman missile launch control centers, with details on operation
- U.S. DOD nuclear weapons recovery manual with reference to two-man rule