- Two-man rule
-
The two-man rule is a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule all access and actions requires the presence of two authorized people at all times.
Contents
Nuclear weapons
Per US Air Force Instruction (AFI) 91-104, "The Two Person Concept" is designed to prevent accidental or malicious launch of nuclear weapons by a single individual.
In the case of Minuteman missile launch crews, both operators must agree that the launch order is valid by comparing the authorization code in the launch order against the code from Sealed Authenticator (i.e. special sealed envelope which holds the code). These Sealed Authenticators are stored in a safe which has two separate locks so a single crew member cannot open the safe alone. Each crew member has two launch keys; both crew members must turn their keys simultaneously. Four keys are required to prevent one person from initiating a launch. For additional protection the missile crew in another Launch Control Center must do the same for the missiles to be launched. There is also a procedure for the "Single Survivor" situation where some other conditions must be fulfilled for a successful launch.[citation needed]
On a submarine, both the commanding officer and executive officer must agree that the order to launch is valid, and then mutually authorize the launch with their operations personnel. Instead of another party which would confirm a missile launch as in the case of land-based ICBMs, the set of keys is distributed among the key personnel on the submarine and are kept in safes (each of these crew members has access only to his keys). Some keys are stored in special safes on board which are locked by combination locks. Nobody on board has the combination to open these safes - the unlock key comes as a part of the launch order from the higher authority.[1]
Higher up, in the United States, the National Command Authority comprising the President and Secretary of Defense must jointly issue the order to use nuclear weapons to the Chairman of the Joint Chiefs of Staff.[citation needed] Usually, the two-man rule is also backed up with hardware and software measures including command code verification and command keys.
Journalist Ron Rosenbaum has pointed out that, once the order is issued, the process is entirely concerned with authenticating the identity of the commanding officer and the authenticity of the order, and there are no safeguards to verify that the order or the person issuing it is actually sane.[2] Notably, Major Harold Hering was discharged from the Air Force for asking the question "How can I know that an order I receive to launch my missiles came from a sane president?"[2]
Cryptographic material
Two-person integrity (TPI) is the security measure taken to prevent single-person access to COMSEC keying material and cryptographic manuals. TPI is accomplished as follows:
- The constant presence of two authorized persons when COMSEC material is being handled;
- The use of two combination locks on security containers used to store COMSEC material; and
- The use of two locking devices and a physical barrier for the equipment.
At no time can one person have in his or her possession the combinations or keys to gain lone access to a security container or cryptographic equipment containing COMSEC material. Neither can one person have sole possession of COMSEC material that requires TPI security. [1]
No-lone zone
A no-lone zone is an area that must be staffed by two or more qualified or cleared individuals. Each individual must be within visual contact with each other and in visual contact with the critical component that requires a no-lone-zone area designation. A no-lone zone may contain a cryptographic component, weapon system hardware under test, a nuclear weapon or active nuclear weapon controls.
In the USAF concerning critical weapons, it is a zone in which the presence of a single individual is prohibited. The two-person concept (or policy) is in effect in which two individuals, knowledgeable of the task to be performed, and capable of detecting an incorrect or unauthorized procedure on the part of the other in reference to the task being performed.
Other uses
The two-man rule is used in other safety critical applications where the presence of two people is required before a potentially hazardous operation can be performed. This is common safety practice in, e.g., laboratories and machine shops; in such contexts, the additional security may be less important than the fact that if one individual is injured the other can call for help. As another example, Firefighters operating in a hazardous environment (i.e. interior structure fire, HAZMAT zone, also known as IDLH) function as a team of at least 2 or more personnel. There are commonly more than one team in the same environment, but each team operates as a unit. Some software systems enforce a "two-man rule" whereby certain actions (for example, money wire transfers) can only be effected if approved by two authorized users.
Dual keys require the authorization of two separate parties before a particular action is taken. The simplest form of Dual Key security is a lock that requires two keys to unlock it. The two keys would be in the possession of two separate persons. The lock could only be opened if both parties agreed to open it and at the same time. Canada accepted having American W-40 nuclear warheads under dual key control on Canadian soil in 1963 to be used on the Canadian BOMARC missiles.
In business, the four-eye principle "means that all business decisions and transactions need approval from the CEO and CFO. Since the CFO is not reporting to the CEO, there is an independent controlling mechanism in place." [3]
Similarly, many banks implement some variant of the two-man rule to secure large sums of money and valuable items. Under this concept, unlocking the vault requires two individuals with different keys if the vault is secured by a key lock system. For bank vaults secured by combination lock, one individual will know half of the combination and a second person will know the remaining half. At no point will either person know the other person's half of the lock combination, requiring both persons to be physically present in order to unlock the vault.
In popular culture
In the film The Hunt for Red October, when Captain Ramius takes the dead political officer's missile key, a fellow officer, the ship's doctor, requests that he have the key, using the two-man rule as his reason, saying "The reason for having two missile keys is so that no one man may arm the missiles."
The two-man rule was disputed in the movie Crimson Tide when the Captain of the USS Alabama and the executive officer clashed over the release of nuclear weapons.
In the Tom Clancy novel The Sum of All Fears President Robert Fowler and Jack Ryan, Deputy Director of the Central Intelligence Agency, comprise the two men that were to issue a nuclear launch order against a city thought to be harboring a terrorist leader. Ryan refused to validate the launch order and the nuclear attack is aborted. Ryan could be that second man because the SECDEF was killed in a terrorist attack, and due to Ryan's role as DDCI.
In the film WarGames, during a simulation exercise, one of two launch officers pulls a gun on the second officer when he refuses to turn his launch key. This incident sets up the basis of the movie, in which the Department of Defense replaces the two-man system with the WOPR Computer to prevent refusal to launch.
In the film Salt, US President Lewis together with Secretary of Defense verified the authentication codes alternately to launch nuclear weapons from nuclear football inside the Presidential Emergency Operations Center
The Star Trek franchise depicts the two-man rule and other similar variations in critical situations, often concerning arming or cancelling a ship's self-destruct mechanism. Some variants require the authorization of three senior officers (Star Trek III: The Search For Spock, Star Trek: First Contact), others just the Commanding and Executive officers (Star Trek: The Next Generation episodes 11001001 and Where Silence Has Lease, Star Trek: Deep Space Nine episode The Adversary). All depictions include voice authorization of the officers involved, while the two-man variant also involved a handprint identification.
Other meanings
The requirement for the presence of at least two staff members is also used in other contexts where there are security concerns, such as in banks. When bank employees perform some tasks, such as removing money from safes or opening Automated Teller Machine deposits, company policies often require that at least two employees be present. Many banks also make use of physical measures to ensure this - such as cabinets which require the simultaneous use of two keys, or by issuing only half of a vault combination to certain employees and the other half of the combination to the remaining employees.
As an extension of the broader rationale for the "two-man rule", regulations for some companies or not-for-profit organizations may require signatures of two executives on checks. These rules make it harder for an individual acting alone to defraud the organization.
See also
- Buddy system
- Fail-deadly
- Segregation of duties
- The Hunt for Red October
- The Sum of All Fears
- Crimson Tide
References
- U.S. National Park Service article on Minuteman missile launch control centers, with details on operation
- U.S. DOD nuclear weapons recovery manual with reference to two-man rule
- ^ Douglas C. Waller: Practicing For Doomsday
- ^ a b http://www.slate.com/id/2286735/pagenum/all/#p2
- ^ Hason, Fay (2002-12). "Pushing Global Growth". Business Finance. http://www.businessfinancemag.com/magazine/archives/article.html?articleID=13920&pg=5. Retrieved 2007-02-21.
Categories:- Nuclear command and control
- Nuclear weapon safety
- Access control
Wikimedia Foundation. 2010.