Two-person rule (original) (raw)

From Wikipedia, the free encyclopedia

Action only authorized by two or more people

Sealed Authenticator System safe at a missile launch control center with two crew locks

The two-person rule is a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule, access and actions require the presence of two or more authorized people at all times.

United States: nuclear weapons

[edit]

Per US Air Force Instruction (AFI) 91-104, "the two-person concept" is designed to prevent accidental or malicious launch of nuclear weapons by a single individual.[1]

In the case of Minuteman missile launch crews, once a launch order is received, both operators must agree that it is valid by comparing the authorization code in the order against a Sealed Authenticator (a special sealed envelope containing a verification code). These Sealed Authenticators are stored in a safe which has two separate locks. Each operator has the key to only one lock, so neither can open the safe alone. Also, each operator has one of two launch keys; once the order is verified, they must insert the keys in slots on the control panel and turn them simultaneously. As a further precaution, the slots for the two launch keys are positioned far enough apart to make it impossible for one operator to reach both of them at once. For additional protection, the crew in another launch control center must verify the authorization code and turn their keys for the missiles to be launched. A total of four keys are thus required to initiate a launch.

On a submarine, both the commanding officer and the executive officer must agree that the order to launch is valid and then mutually authorize the launch with their operations personnel. Instead of another party who would confirm a missile launch as in the case of land-based ICBMs, a third officer – the Weapons Officer – must also confirm the launch. In addition, the set of keys is distributed among the key personnel on the submarine, and the keys are kept in safes (each of these crew members has access only to their key). Some keys are stored in special safes on board which are secured by combination locks. Nobody on board has the combination to open these safes; the unlock key comes as a part of the launch order (Emergency Action Message) from the higher authority.[2]

Journalist Ron Rosenbaum has pointed out that, once the order is issued, the process is entirely concerned with authenticating the identity of the commanding officers and the authenticity of the order, and there are no safeguards to verify that the order or the person issuing it is actually sane.[3] Notably, Major Harold Hering was discharged from the Air Force for asking the question, "How can I know that an order I receive to launch my missiles came from a sane President?"[3]

The two-person rule only applies in the missile silos and submarines; there is no check on the US president's sole authority to order a nuclear launch.[4]

Cryptographic material

[edit]

Two-person integrity (TPI) is the security measure taken to prevent single-person access to COMSEC keying material and cryptographic manuals. TPI is accomplished as follows:[5]

At no time can one person have in their possession the combinations or keys to gain lone access to a security container or cryptographic equipment containing COMSEC material. Neither can one person have sole possession of COMSEC material that requires TPI security.[5]

Sign in the Titan Missile Museum

A no-lone zone is an area that must be staffed by two or more qualified or cleared individuals at all times.[6] The individuals must maintain visual contact with each other and with the component(s) that require the no-lone-zone area designation. Such a zone may contain a cryptographic component, weapon system hardware under test, a nuclear weapon, active weapon controls, or other such critical information or devices.

In the United States Air Force (USAF) policy concerning critical weapons, a no-lone zone is an area for which entry by a single unaccompanied individual is prohibited. The two-person concept requires the presence of at least two individuals knowledgeable of the task(s) to be performed; in addition, each individual must be capable of detecting an incorrect or unauthorized procedure on the part of any others regarding the task(s).[7]

The two-person rule is used in other safety-critical applications where the presence of two people is required before a potentially hazardous operation can be performed. This is common safety practice in, for example, laboratories and machine shops. In such a context, the additional security may be less important than the fact that if one individual is injured the other can call for help. As another example, firefighters operating in a hazardous environment (i.e., interior structure fire, HAZMAT zone, also known as IDLH, or "immediately dangerous to life or health") function as a team of at least two personnel. There is commonly more than one team in the same environment, but each team operates as a unit.

Dual keys require the authorization of two separate parties before a particular action is taken. The simplest form of dual key security is a lock that requires two keys to open, with each key held by a different person. The lock can only be opened if both parties agree to do so at the same time. In 1963, Canada accepted having American W-40 nuclear warheads under dual key control on Canadian soil, to be used on the Canadian BOMARC missiles.

Similarly, many banks implement some variant of the two-person rule to secure large sums of money and valuable items. Under this concept, unlocking the vault requires two individuals with different keys if the vault is secured by a key lock system. For bank vaults secured by combination locks, two or more employees may each be given a portion of the combination. None of them knows the entire combination, and all of them must be physically present in order to open the vault.

As an extension of the broader rationale for the two-person rule, regulations for some companies or not-for-profit organizations may require signatures of two executives on checks. These rules make it harder for an individual acting alone to defraud the organization.

Some software systems enforce a two-person rule whereby certain actions (for example, funds wire transfers) can only take place if approved by two authorized users. This helps prevent expensive errors, and makes it more difficult to commit fraud or embezzlement. While such requirements are common in financial systems, they are also used in controls for critical infrastructure, such as nuclear reactors for electrical power generation, and dangerous operations, such as biohazard research facilities.

Finally, the testimony of two witnesses is valuable in various situations to deter a wrongful act or a false accusation of one, or to prove that a wrongful act occurred.

In some correctional facilities, inmates may be given a two-person rule designation, which means that a minimum of two correctional officers must be utilized to move that particular inmate, primarily due to disciplinary reasons or possible officer safety issues.

In late March 2015 many civil aviation authorities and/or airlines made the cockpits of aircraft in flight mandatory "two-person" or "no-lone zones" as a result of the Germanwings Flight 9525 crash.[8][9][10][11][12] Early on in the investigation of that crash, it was believed from the cockpit voice recorder audio, and later supported by flight data recorder information, that the co-pilot deliberately crashed the aircraft after locking the cockpit door when the captain left to use the toilet.[13]

  1. ^ Maj Gen Margaret H. Woodward (23 April 2013). "AIR FORCE INSTRUCTION 91-104" (PDF-136 KB). p. 2. Retrieved 16 March 2015 – via Federation of American Scientists @ fas.org.
  2. ^ Waller, Douglas C. (4 March 2001). "Practicing For Doomsday". TIME. p. 3. Retrieved 16 March 2015. Extract from: Waller, Douglas C. (2001) Big Red: Three Months On Board a Trident Nuclear Submarine, HarperCollins ISBN 978-0-06-019484-0
  3. ^ a b Rosenbaum, Ron (February 28, 2011) "An Unsung Hero of the Nuclear Age – Maj. Harold Hering and the forbidden question that cost him his career" slate.com. Retrieved February 13, 2012
  4. ^ "Debate Over Trump's Fitness Raises Issue of Checks on Nuclear Power" at nytimes.com, 4 August 2016 (retrieved 6 August 2016
  5. ^ a b c d e "Two-person integrity" tpub.com, pp. 3–9 & 3–10
  6. ^ "no-lone zone (NLZ)". COMPUTER SECURITY RESOURCE CENTER. National Institute of Standards and Technology. Retrieved 2023-10-22.
  7. ^ Culver, William C. (26 March 2020). "AIR FORCE INSTRUCTION 91-101" (PDF). Department of the Air Force E-Publishing. p. 46 § 5.2.6.
  8. ^ "Germanwings Flight 4U9525: Canadian airlines told to have 2 people in the cockpit". CBC News. 27 March 2015. Retrieved 27 March 2015.
  9. ^ Cooke, Henry (27 March 2015). "CAA changes cockpit policy following Germanwings crash". Fairfax New Zealand. Retrieved 27 March 2015.
  10. ^ "Germanwings Crash: How the Aviation Industry Has Reacted". The Wall Street Journal. 27 March 2015. Retrieved 27 March 2015.
  11. ^ "'Rule of two': Australia to require two in a cockpit at all times in wake of Germanwings tragedy". The Sydney Morning Herald. 30 March 2015. Retrieved 30 March 2015.
  12. ^ "EASA recommends minimum two crew in the cockpit". EASA. 27 March 2015. Retrieved 28 March 2015.
  13. ^ "Germanwings crash: Co-pilot Lubitz 'accelerated descent'". BBC News. 3 April 2015.
  14. ^ McCluskey, Megan. "Stranger Things Season 3 Movie References Explained". Time. Retrieved 23 September 2024.

General