Jump to content

Two-person rule

From Wikipedia, the free encyclopedia
(Redirected from Two person integrity)
Sealed Authenticator System safe at a missile launch control center with two crew locks

The two-person rule is a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule, access and actions require the presence of two or more authorized people at all times.

United States: nuclear weapons

[edit]

Per US Air Force Instruction (AFI) 91-104, "the two-person concept" is designed to prevent accidental or malicious launch of nuclear weapons by a single individual.[1]

In the case of Minuteman missile launch crews, once a launch order is received, both operators must agree that it is valid by comparing the authorization code in the order against a Sealed Authenticator (a special sealed envelope containing a verification code). These Sealed Authenticators are stored in a safe which has two separate locks. Each operator has the key to only one lock, so neither can open the safe alone. Also, each operator has one of two launch keys; once the order is verified, they must insert the keys in slots on the control panel and turn them simultaneously. As a further precaution, the slots for the two launch keys are positioned far enough apart to make it impossible for one operator to reach both of them at once. For additional protection, the crew in another launch control center must verify the authorization code and turn their keys for the missiles to be launched. A total of four keys are thus required to initiate a launch.

On a submarine, both the commanding officer and the executive officer must agree that the order to launch is valid and then mutually authorize the launch with their operations personnel. Instead of another party who would confirm a missile launch as in the case of land-based ICBMs, a third officer – the Weapons Officer – must also confirm the launch. In addition, the set of keys is distributed among the key personnel on the submarine, and the keys are kept in safes (each of these crew members has access only to their key). Some keys are stored in special safes on board which are secured by combination locks. Nobody on board has the combination to open these safes; the unlock key comes as a part of the launch order (Emergency Action Message) from the higher authority.[2]

Journalist Ron Rosenbaum has pointed out that, once the order is issued, the process is entirely concerned with authenticating the identity of the commanding officers and the authenticity of the order, and there are no safeguards to verify that the order or the person issuing it is actually sane.[3] Notably, Major Harold Hering was discharged from the Air Force for asking the question, "How can I know that an order I receive to launch my missiles came from a sane President?"[3]

The two-person rule only applies in the missile silos and submarines; there is no check on the US president's sole authority to order a nuclear launch.[4]

Cryptographic material

[edit]

Two-person integrity (TPI) is the security measure taken to prevent single-person access to COMSEC keying material and cryptographic manuals. TPI is accomplished as follows:[5]

  • The constant presence of two authorized persons when COMSEC material is being handled;[5]
  • The use of two combination locks on security containers used to store COMSEC material; and[5]
  • The use of two locking devices and a physical barrier for the equipment.[5]

At no time can one person have in their possession the combinations or keys to gain lone access to a security container or cryptographic equipment containing COMSEC material. Neither can one person have sole possession of COMSEC material that requires TPI security.[5]

No-lone zone

[edit]
Sign in the Titan Missile Museum

A no-lone zone is an area that must be staffed by two or more qualified or cleared individuals at all times.[6] The individuals must maintain visual contact with each other and with the component(s) that require the no-lone-zone area designation. Such a zone may contain a cryptographic component, weapon system hardware under test, a nuclear weapon, active weapon controls, or other such critical information or devices.

In the United States Air Force (USAF) policy concerning critical weapons, a no-lone zone is an area for which entry by a single unaccompanied individual is prohibited. The two-person concept requires the presence of at least two individuals knowledgeable of the task(s) to be performed; in addition, each individual must be capable of detecting an incorrect or unauthorized procedure on the part of any others regarding the task(s).[7]

Other uses

[edit]

The two-person rule is used in other safety-critical applications where the presence of two people is required before a potentially hazardous operation can be performed. This is common safety practice in, for example, laboratories and machine shops. In such a context, the additional security may be less important than the fact that if one individual is injured the other can call for help. As another example, firefighters operating in a hazardous environment (i.e., interior structure fire, HAZMAT zone, also known as IDLH, or "immediately dangerous to life or health") function as a team of at least two personnel. There is commonly more than one team in the same environment, but each team operates as a unit.

Dual keys require the authorization of two separate parties before a particular action is taken. The simplest form of dual key security is a lock that requires two keys to open, with each key held by a different person. The lock can only be opened if both parties agree to do so at the same time. In 1963, Canada accepted having American W-40 nuclear warheads under dual key control on Canadian soil, to be used on the Canadian BOMARC missiles.

Similarly, many banks implement some variant of the two-person rule to secure large sums of money and valuable items. Under this concept, unlocking the vault requires two individuals with different keys if the vault is secured by a key lock system. For bank vaults secured by combination locks, two or more employees may each be given a portion of the combination. None of them knows the entire combination, and all of them must be physically present in order to open the vault.

As an extension of the broader rationale for the two-person rule, regulations for some companies or not-for-profit organizations may require signatures of two executives on checks. These rules make it harder for an individual acting alone to defraud the organization.

Some software systems enforce a two-person rule whereby certain actions (for example, funds wire transfers) can only take place if approved by two authorized users. This helps prevent expensive errors, and makes it more difficult to commit fraud or embezzlement. While such requirements are common in financial systems, they are also used in controls for critical infrastructure, such as nuclear reactors for electrical power generation, and dangerous operations, such as biohazard research facilities.

Finally, the testimony of two witnesses is valuable in various situations to deter a wrongful act or a false accusation of one, or to prove that a wrongful act occurred.

In some correctional facilities, inmates may be given a two-person rule designation, which means that a minimum of two correctional officers must be utilized to move that particular inmate, primarily due to disciplinary reasons or possible officer safety issues.

Civilian aircraft

[edit]

In late March 2015 many civil aviation authorities and/or airlines made the cockpits of aircraft in flight mandatory "two-person" or "no-lone zones" as a result of the Germanwings Flight 9525 crash.[8][9][10][11][12] Early on in the investigation of that crash, it was believed from the cockpit voice recorder audio, and later supported by flight data recorder information, that the co-pilot deliberately crashed the aircraft after locking the cockpit door when the captain left to use the toilet.[13]

[edit]
  • In the film The Hunt for Red October, when Captain Ramius takes the dead political officer's missile key, a fellow officer, the ship's doctor, requests that he have the key, using the two-person rule as his reason, saying, "The reason for having two missile keys is so that no one man may arm the missiles."
  • The two-person rule was crucial in the movie Crimson Tide when the captain and the executive officer of the USS Alabama disagreed over the release of nuclear weapons.
  • In the Tom Clancy novel The Sum of All Fears, President Robert Fowler and Jack Ryan, as Deputy Director of the Central Intelligence Agency, were the two individuals that were authorized to issue a nuclear launch order against a city thought to be harboring a terrorist leader. Ryan refused to validate the launch order and the nuclear attack is aborted. Ryan was serving as the second one because the Secretary of Defense was killed in a terrorist attack.
  • In the film WarGames, a two-person missile crew receives and verifies an order to launch, but one individual refuses to turn his launch key even after the other threatens to shoot him. Unknown to them, the attack was a simulation; this incident (as well as a significant rate of similar refusals among other missile crews) sets up the basis of the movie, in which the Department of Defense puts the missile launch system under fully automatic control to prevent a future refusal to launch.
  • Similar to WarGames, in the computer game Command & Conquer: Red Alert 2 one officer pulls a gun on the second officer when given the command to launch nuclear missiles. However, this is not due to a disagreement, but due to direct mind control.
  • The Star Trek franchise depicts the two-person rule and other similar variations in critical situations, often concerning arming or cancelling a ship's self-destruct mechanism (except for Star Trek: Voyager in which only the Captain's authorization was required). Some variants require the authorization of three senior officers (the original Star Trek episode "Let That Be Your Last Battlefield", Star Trek III: The Search for Spock, Star Trek: First Contact), others just the commanding and executive officers (Star Trek: The Next Generation episodes "11001001" and "Where Silence Has Lease", Star Trek: Deep Space Nine episode "The Adversary"). All depictions include voice authorization of the officers involved, while the two-person variant also involved a hand print identification.
  • In Bee Movie, when honey production is ordered to be halted, two workers simultaneously turn their ignition keys to unlock a shutdown button.
  • In Torch of Freedom by Eric Flint, the nuclear self-destruct device for an important installation requires at least two people to activate. Nonetheless, one person gains access to all the necessary codes and is able to activate the device.
  • In the first episode of the ABC series Last Resort, Marcus Chaplin and Sam Kendal, the captain and XO respectively, perform a two-person launch procedure, prior to questioning the attack order.
  • In The Day After, the United States initiates a counterattack against the Soviet Union. This includes a complete two-person LGM-30 Minuteman missile launch sequence taken from the earlier movie First Strike.
  • In Pixar's Inside Out animated movie, the father's personified emotions initiate punishment for Riley's misbehavior using a two-person rule system to arm a trigger for "putting the foot down".
  • In the "Solitude" episode of the CBS series Supergirl, the villain Indigo kills all the silo personnel to take the keys, and then stretches her arms to turn both keys at the same time, launching a nuclear missile intended to destroy National City.
  • In GoldenEye the eponymous EMP attack satellite can only be fired in this way at both the Severnaya and Cuba sites.
  • In an episode of Madam Secretary, two officers initiate the two-person rule to launch an ICBM, but a termination order comes in at the last moment.
  • In season 3 of the Netflix series Stranger Things, an underground Soviet machine requires the two-person rule to open and close a gate to the Upside Down.[14] Joyce Byers is forced to turn both keys simultaneously to operate the damaged machine, triggering an explosion.

See also

[edit]

References

[edit]
  1. ^ Maj Gen Margaret H. Woodward (23 April 2013). "AIR FORCE INSTRUCTION 91-104" (PDF-136 KB). p. 2. Retrieved 16 March 2015 – via Federation of American Scientists @ fas.org.
  2. ^ Waller, Douglas C. (4 March 2001). "Practicing For Doomsday". TIME. p. 3. Retrieved 16 March 2015. Extract from: Waller, Douglas C. (2001) Big Red: Three Months On Board a Trident Nuclear Submarine, HarperCollins ISBN 978-0-06-019484-0
  3. ^ a b Rosenbaum, Ron (February 28, 2011) "An Unsung Hero of the Nuclear Age – Maj. Harold Hering and the forbidden question that cost him his career" slate.com. Retrieved February 13, 2012
  4. ^ "Debate Over Trump's Fitness Raises Issue of Checks on Nuclear Power" at nytimes.com, 4 August 2016 (retrieved 6 August 2016
  5. ^ a b c d e "Two-person integrity" tpub.com, pp. 3–9 & 3–10
  6. ^ "no-lone zone (NLZ)". COMPUTER SECURITY RESOURCE CENTER. National Institute of Standards and Technology. Retrieved 2023-10-22.
  7. ^ Culver, William C. (26 March 2020). "AIR FORCE INSTRUCTION 91-101" (PDF). Department of the Air Force E-Publishing. p. 46 § 5.2.6.
  8. ^ "Germanwings Flight 4U9525: Canadian airlines told to have 2 people in the cockpit". CBC News. 27 March 2015. Retrieved 27 March 2015.
  9. ^ Cooke, Henry (27 March 2015). "CAA changes cockpit policy following Germanwings crash". Fairfax New Zealand. Retrieved 27 March 2015.
  10. ^ "Germanwings Crash: How the Aviation Industry Has Reacted". The Wall Street Journal. 27 March 2015. Retrieved 27 March 2015.
  11. ^ "'Rule of two': Australia to require two in a cockpit at all times in wake of Germanwings tragedy". The Sydney Morning Herald. 30 March 2015. Retrieved 30 March 2015.
  12. ^ "EASA recommends minimum two crew in the cockpit". EASA. 27 March 2015. Retrieved 28 March 2015.
  13. ^ "Germanwings crash: Co-pilot Lubitz 'accelerated descent'". BBC News. 3 April 2015.
  14. ^ McCluskey, Megan. "Stranger Things Season 3 Movie References Explained". Time. Retrieved 23 September 2024.
General