Two-person rule

Last updated
Sealed Authenticator System safe at a missile launch control center with two crew locks SAS Container.png
Sealed Authenticator System safe at a missile launch control center with two crew locks

The two-person rule is a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule, access and actions require the presence of two or more authorized people at all times.

Contents

United States: nuclear weapons

Per US Air Force Instruction (AFI) 91-104, "the two-person concept" is designed to prevent accidental or malicious launch of nuclear weapons by a single individual. [1]

In the case of Minuteman missile launch crews, once a launch order is received, both operators must agree that it is valid by comparing the authorization code in the order against a Sealed Authenticator (a special sealed envelope containing a verification code). These Sealed Authenticators are stored in a safe which has two separate locks. Each operator has the key to only one lock, so neither can open the safe alone. Also, each operator has one of two launch keys; once the order is verified, they must insert the keys in slots on the control panel and turn them simultaneously. As a further precaution, the slots for the two launch keys are positioned far enough apart to make it impossible for one operator to reach both of them at once. For additional protection, the crew in another launch control center must verify the authorization code and turn their keys for the missiles to be launched. A total of four keys are thus required to initiate a launch.

On a submarine, both the commanding officer and the executive officer must agree that the order to launch is valid and then mutually authorize the launch with their operations personnel. Instead of another party who would confirm a missile launch as in the case of land-based ICBMs, a third officer – the Weapons Officer – must also confirm the launch. In addition, the set of keys is distributed among the key personnel on the submarine, and the keys are kept in safes (each of these crew members has access only to their key). Some keys are stored in special safes on board which are secured by combination locks. Nobody on board has the combination to open these safes; the unlock key comes as a part of the launch order (Emergency Action Message) from the higher authority. [2]

Journalist Ron Rosenbaum has pointed out that, once the order is issued, the process is entirely concerned with authenticating the identity of the commanding officers and the authenticity of the order, and there are no safeguards to verify that the order or the person issuing it is actually sane. [3] Notably, Major Harold Hering was discharged from the Air Force for asking the question, "How can I know that an order I receive to launch my missiles came from a sane President?" [3]

The two-person rule only applies in the missile silos and submarines; there is no check on the US president's sole authority to order a nuclear launch. [4]

Cryptographic material

Two-person integrity (TPI) is the security measure taken to prevent single-person access to COMSEC keying material and cryptographic manuals. TPI is accomplished as follows: [5]

At no time can one person have in their possession the combinations or keys to gain lone access to a security container or cryptographic equipment containing COMSEC material. Neither can one person have sole possession of COMSEC material that requires TPI security. [5]

No-lone zone

Sign in the Titan Missile Museum No lone zone.jpg
Sign in the Titan Missile Museum

A no-lone zone is an area that must be staffed by two or more qualified or cleared individuals at all times. [6] The individuals must maintain visual contact with each other and with the component(s) that require the no-lone-zone area designation. Such a zone may contain a cryptographic component, weapon system hardware under test, a nuclear weapon, active weapon controls, or other such critical information or devices.

In the United States Air Force (USAF) policy concerning critical weapons, a no-lone zone is an area for which entry by a single unaccompanied individual is prohibited. The two-person concept requires the presence of at least two individuals knowledgeable of the task(s) to be performed; in addition, each individual must be capable of detecting an incorrect or unauthorized procedure on the part of any others regarding the task(s). [7]

Other uses

The two-person rule is used in other safety-critical applications where the presence of two people is required before a potentially hazardous operation can be performed. This is common safety practice in, for example, laboratories and machine shops. In such a context, the additional security may be less important than the fact that if one individual is injured the other can call for help. As another example, firefighters operating in a hazardous environment (i.e., interior structure fire, HAZMAT zone, also known as IDLH, or "immediately dangerous to life or health") function as a team of at least two personnel. There is commonly more than one team in the same environment, but each team operates as a unit.

Dual keys require the authorization of two separate parties before a particular action is taken. The simplest form of dual key security is a lock that requires two keys to open, with each key held by a different person. The lock can only be opened if both parties agree to do so at the same time. In 1963, Canada accepted having American W-40 nuclear warheads under dual key control on Canadian soil, to be used on the Canadian BOMARC missiles.

Similarly, many banks implement some variant of the two-person rule to secure large sums of money and valuable items. Under this concept, unlocking the vault requires two individuals with different keys if the vault is secured by a key lock system. For bank vaults secured by combination locks, two or more employees may each be given a portion of the combination. None of them knows the entire combination, and all of them must be physically present in order to open the vault.

As an extension of the broader rationale for the two-person rule, regulations for some companies or not-for-profit organizations may require signatures of two executives on checks. These rules make it harder for an individual acting alone to defraud the organization.

Some software systems enforce a two-person rule whereby certain actions (for example, funds wire transfers) can only take place if approved by two authorized users. This helps prevent expensive errors, and makes it more difficult to commit fraud or embezzlement. While such requirements are common in financial systems, they are also used in controls for critical infrastructure, such as nuclear reactors for electrical power generation, and dangerous operations, such as biohazard research facilities.

Finally, the testimony of two witnesses is valuable in various situations to deter a wrongful act or a false accusation of one, or to prove that a wrongful act occurred.

In some correctional facilities, inmates may be given a two-person rule designation, which means that a minimum of two correctional officers must be utilized to move that particular inmate, primarily due to disciplinary reasons or possible officer safety issues.

Civilian aircraft

In late March 2015 many civil aviation authorities and/or airlines made the cockpits of aircraft in flight mandatory "two-person" or "no-lone zones" as a result of the Germanwings Flight 9525 crash. [8] [9] [10] [11] [12] Early on in the investigation of that crash, it was believed from the cockpit voice recorder audio, and later supported by flight data recorder information, that the co-pilot deliberately crashed the aircraft after locking the cockpit door when the captain left to use the toilet. [13]

See also

Related Research Articles

After the September 11 attacks, there was an immediate call to action regarding the state of aviation security measures as the hijackers involved in 9/11 were able to successfully pass through security and take command of the plane. The existing security measures flagged more than half of the 19 hijackers in 9/11; however, they were cleared to board the plane because their bags were not found to contain any explosives. In the months and years following September 11, 2001, security at many airports worldwide were reformed to deter similar terrorist plots.

<span class="mw-page-title-main">Access control</span> Selective restriction of access to a place or other resource, allowing only authorized users

In physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.

<span class="mw-page-title-main">Communications security</span> Discipline of telecommunications

Communications security is the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended recipients.

<span class="mw-page-title-main">Permissive action link</span> Access control device for nuclear weapons

A permissive action link (PAL) is an access control security device for nuclear weapons. Its purpose is to prevent unauthorized arming or detonation of a nuclear weapon. The United States Department of Defense definition is:

A device included in or attached to a nuclear weapon system to preclude arming and/or launching until the insertion of a prescribed discrete code or combination. It may include equipment and cabling external to the weapon or weapon system to activate components within the weapon or weapon system.

International Traffic in Arms Regulations (ITAR) is a United States regulatory agency to restrict and control the export of defense and military technologies to safeguard national security and further its foreign policy objectives.

<span class="mw-page-title-main">Single Integrated Operational Plan</span> 1961–2003 US nuclear strategy document

The Single Integrated Operational Plan (SIOP) was the United States' general plan for nuclear war from 1961 to 2003. The SIOP gave the President of the United States a range of targeting options, and described launch procedures and target sets against which nuclear weapons would be launched. The plan integrated the capabilities of the nuclear triad of strategic bombers, land-based intercontinental ballistic missiles (ICBM), and sea-based submarine-launched ballistic missiles (SLBM). The SIOP was a highly classified document, and was one of the most secret and sensitive issues in U.S. national security policy.

<span class="mw-page-title-main">Nuclear football</span> US device for a nuclear attack order

The nuclear football is a briefcase, the contents of which are to be used by the president of the United States to communicate and authorize a nuclear attack while away from fixed command centers, such as the White House Situation Room or the Presidential Emergency Operations Center. Functioning as a mobile hub in the strategic defense system of the United States, the football is carried by a military aide when the president is traveling.

<span class="mw-page-title-main">AIM-47 Falcon</span> American high-performance air-to-air missile

The Hughes AIM-47 Falcon, originally GAR-9, was a very long-range high-performance air-to-air missile that shared the basic design of the earlier AIM-4 Falcon. It was developed in 1958 along with the new Hughes AN/ASG-18 radar fire-control system intended to arm the Mach 3 XF-108 Rapier interceptor aircraft and, after that jet's cancellation, the YF-12A. It was never used operationally, but was a direct predecessor of the AIM-54 Phoenix used on the Grumman F-14 Tomcat.

<span class="mw-page-title-main">South Africa and weapons of mass destruction</span>

From the 1960s to the 1990s, South Africa pursued research into weapons of mass destruction, including nuclear, biological, and chemical weapons under the apartheid government. South Africa’s nuclear weapons doctrine was designed for political leverage rather than actual battlefield use, specifically to induce the United States of America to intervene in any regional conflicts between South Africa and the Soviet Union or its proxies. To achieve a minimum credible deterrence, a total of six nuclear weapons were covertly assembled by the late 1980s.

<span class="mw-page-title-main">Nuclear weapons of the United States</span>

The United States was the first country to manufacture nuclear weapons and is the only country to have used them in combat, with the bombings of Hiroshima and Nagasaki in World War II. Before and during the Cold War, it conducted 1,054 nuclear tests, and tested many long-range nuclear weapons delivery systems.

The United States government classification system is established under Executive Order 13526, the latest in a long series of executive orders on the topic of classified information beginning in 1951. Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the regulations codified to 32 C.F.R. 2001. It lays out the system of classification, declassification, and handling of national security information generated by the U.S. government and its employees and contractors, as well as information received from other governments.

<span class="mw-page-title-main">Launch on warning</span> Nuclear strategy

Launch on warning (LOW), or fire on warning, is a strategy of nuclear weapon retaliation where a retaliatory strike is launched upon warning of enemy nuclear attack and while its missiles are still in the air, before detonation occurs. It gained recognition during the Cold War between the Soviet Union and the United States. With the invention of intercontinental ballistic missiles (ICBMs), launch on warning became an integral part of mutually-assured destruction (MAD) theory. US land-based missiles can reportedly be launched within 5 minutes of a presidential decision to do so and submarine-based missiles within 15 minutes.

<span class="mw-page-title-main">Nuclear briefcase</span> Used to authorize the use of weapons

A nuclear briefcase is a specially outfitted briefcase used to authorize the use of nuclear weapons and is usually kept near the leader of a nuclear weapons state at all times.

<span class="mw-page-title-main">United Nations Security Council Resolution 1718</span> 2006 sanctions on North Korea

United Nations Security Council Resolution 1718 was adopted unanimously by the United Nations Security Council on October 14, 2006. The resolution, passed under Chapter VII, Article 41, of the UN Charter, imposes a series of economic and commercial sanctions on the Democratic People's Republic of Korea in the aftermath of that nation's claimed nuclear test of October 9, 2006.

<span class="mw-page-title-main">2007 United States Air Force nuclear weapons incident</span> Accidental loading of warheads onto an aircraft

On 29 August 2007, six AGM-129 ACM cruise missiles, each loaded with a W80-1 variable yield nuclear warhead, were mistakenly loaded onto a United States Air Force (USAF) B-52H heavy bomber at Minot Air Force Base in North Dakota and transported to Barksdale Air Force Base in Louisiana. The nuclear warheads in the missiles were supposed to have been removed before the missiles were taken from their storage bunker. The missiles with the nuclear warheads were not reported missing and remained mounted to the aircraft at both Minot and Barksdale for 36 hours. During this period, the warheads were not protected by the various mandatory security precautions for nuclear weapons.

<span class="mw-page-title-main">Army Strategic Forces Command (Pakistan)</span> Pakistan Armys field maneuver strike corps.

The Pakistan Army Strategic Forces Command is a strategic and missile formation of the Pakistan Army. Headquartered at the Joint Staff HQ in Chaklala near Rawalpindi, the strategic command controls the land-based ballistics and cruise missile systems—both nuclear and conventional.

Harold L. Hering is a former officer of the United States Air Force, who was discharged in 1975 for requesting basic information about checks and balances to prevent an unauthorized order to launch nuclear missiles. Hering was subsequently presented the 2017 Courage of Conscience Award at the Peace Abbey, Boston, Massachusetts.

<span class="mw-page-title-main">Mark 26 missile launcher</span> Guided Missile Launching System

The Mark 26 Guided Missile Launching System (GMLS) was a United States Navy fully automated system that stows, handles, and launches a variety of missiles. The system supported RIM-66 Standard, RUR-5 ASROC, and potentially other weapons. The Mark 26 had the shortest reaction time and the fastest firing rate of any comparable dual arm shipboard launching system at the time. With only one man at the control console, a weapon can be selected, hoisted to the guide arm, and launched. Several mods provided magazine capabilities of 24 to 64 missiles.

<span class="mw-page-title-main">Germanwings Flight 9525</span> 2015 deliberate airliner crash in France

Germanwings Flight 9525 was a scheduled international passenger flight from Barcelona–El Prat Airport in Spain to Düsseldorf Airport in Germany. The flight was operated by Germanwings, a low-cost carrier owned by the German airline Lufthansa. On 24 March 2015, the aircraft, an Airbus A320-211, crashed 100 km north-west of Nice in the French Alps, killing all 150 people on board.

<span class="mw-page-title-main">Nuclear close calls</span> List of incidents which could have led to a nuclear exchange

A nuclear close call is an incident that might have led to at least one unintended nuclear detonation or explosion, but did not. These incidents typically involve a perceived imminent threat to a nuclear-armed country which could lead to retaliatory strikes against the perceived aggressor. The damage caused by international nuclear exchange is not necessarily limited to the participating countries, as the hypothesized rapid climate change associated with even small-scale regional nuclear war could threaten food production worldwide—a scenario known as nuclear famine. There have also been a number of accidents involving nuclear weapons, such as crashes of nuclear armed aircraft.

References

  1. Maj Gen Margaret H. Woodward (23 April 2013). "AIR FORCE INSTRUCTION 91-104" (PDF-136 KB). p. 2. Retrieved 16 March 2015 via Federation of American Scientists @ fas.org.
  2. Waller, Douglas C. (4 March 2001). "Practicing For Doomsday". TIME . p. 3. Retrieved 16 March 2015. Extract from: Waller, Douglas C. (2001) Big Red: Three Months On Board a Trident Nuclear Submarine, HarperCollins ISBN   978-0-06-019484-0
  3. 1 2 Rosenbaum, Ron (February 28, 2011) "An Unsung Hero of the Nuclear Age – Maj. Harold Hering and the forbidden question that cost him his career" slate.com. Retrieved February 13, 2012
  4. "Debate Over Trump's Fitness Raises Issue of Checks on Nuclear Power" at nytimes.com, 4 August 2016 (retrieved 6 August 2016
  5. 1 2 3 4 5 "Two-person integrity" tpub.com, pp. 3–9 & 3–10
  6. "no-lone zone (NLZ)". COMPUTER SECURITY RESOURCE CENTER. National Institute of Standards and Technology . Retrieved 2023-10-22.
  7. Culver, William C. (26 March 2020). "AIR FORCE INSTRUCTION 91-101" (PDF). Department of the Air Force E-Publishing. p. 46 § 5.2.6.
  8. "Germanwings Flight 4U9525: Canadian airlines told to have 2 people in the cockpit". CBC News. 27 March 2015. Retrieved 27 March 2015.
  9. Cooke, Henry (27 March 2015). "CAA changes cockpit policy following Germanwings crash". Fairfax New Zealand. Retrieved 27 March 2015.
  10. "Germanwings Crash: How the Aviation Industry Has Reacted". The Wall Street Journal . 27 March 2015. Retrieved 27 March 2015.
  11. "'Rule of two': Australia to require two in a cockpit at all times in wake of Germanwings tragedy". The Sydney Morning Herald . 30 March 2015. Retrieved 30 March 2015.
  12. "EASA recommends minimum two crew in the cockpit". EASA. 27 March 2015. Retrieved 28 March 2015.
  13. "Germanwings crash: Co-pilot Lubitz 'accelerated descent'". BBC News. 3 April 2015.
  14. McCluskey, Megan. "Stranger Things Season 3 Movie References Explained". Time. Retrieved 23 September 2024.
General