OSINT capabilities of the FBI/DHS before J6 were sabotaged, apparently to blind it to the actual threats coming from the left.
- Before January 6, open intelligence (OSINT) gathering was handled by the compromised Washington Field Office, headed by the notorious D’Antuono.
- The analysts of the DHS Office of Intelligence and Analysis (“I&A”) were instructed to analyze only explicit threats, usually issued by people without intent to follow up on them, and to ignore more useful types of intelligence, which could have revealed the preparations of the leftist groups.
- Somebody undermined the law enforcement OSINT by suddenly replacing social media data mining companies and products on January 1, 2021.
FBI WFO handled OSINT
Before January 6, open intelligence (OSINT) gathering was handled by the compromised Washington Field Office (per the HSAG Review), headed by notorious D’Antuono.
Known threat actors and indicators of the risk of violence were excluded from the DHS analysis
I&A analysts were instructed to analyze only explicit threats, usually issued by people (including children) without intent to follow up on them and to ignore information about known threat actors (such as antifa and less known leftist militias) and about increasing risk of violence. If not for these restrictions, I&A could have revealed the preparations of the leftist militant groups.
Apparently, these changes were instituted because of the complaints from the antifa/BLM and their congressional and media sponsors about law enforcement treatment of their summer riots and the attack on the White House on May 31, 2020.
Even before that, law enforcement could not explore social media at will. I&A had to utilize private companies (such as Dataminr) to generate “leads”, was apparently limited to keyword searches alone, and was allowed to report and pursue only leads that fell under one of the three following categories:
“I&A intelligence collectors may report information in intelligence products if the information:
➢ contains true threats or incitement to violence, and not hyperbole;
➢ provides information that enhances I&A’s understanding of known threat actors; or
➢ includes information that demonstrates a risk of violence during a heightened threat environment” (the HSAG Review, p. 90)
By 2021, the analysts were instructed to pursue only the first kind of leads. Also, they could follow tips from the social media platforms themselves, and private citizens, becoming exposed to third-party manipulation.
Senate Committee on Homeland Security and Government Affairs, A Review of Intelligence Failures in Advance of January 6th, 2021 (Majority Report, June 2023) (the “HSAG Review”) is another Democrat attempt to keep the narrative that Trump supporters attacked the Capitol. Nevertheless, it acknowledged (emphasis is added):
“[Stephanie] Dobitsch reinforced these findings, acknowledging in an interview with the House Select Committee that after the events of the summer of 2020, “there was a lot of confusion” about I&A’s reporting guidelines and that the training provided to I&A staff “was not clear.” Dobitsch confirmed that I&A’s open source intelligence collectors were trained only to report open source information related to “true threats and incitement,” and were not instructed to consider whether information met I&A’s other two criteria for reporting, which includes information that “enhances I&A’s understanding of known threat actors” or information that “demonstrates a risk of violence during a heightened threat environment.” Dobitsch stated that this change after the summer of 2020 “reduced the information from which we would report on compared to the summer,” calling it “a significant narrowing of scope of mission.”” (p.91)
HSAG Upside Down
The HSAG Review turns this conclusion upside down, claiming that if not for this diminished OSINT capacity, law enforcement would be better prepared to allegedly pro-Trump violence. Nevertheless, it does not support its interpretation with any facts. Neither the body of the HSAG Review nor the relevant referenced documents[1] show any evidence of planning violence by Trump supporters or right-wing groups. They contain few anecdotes, mostly regurgitated from other documents. None of the mentioned social media posts is linked to any person or evidence from the January 6 violence, despite nearly a thousand arrests and an unprecedented attempt by the FBI to connect the evidence from J6 to any prior planning by Trump supporters.
On the other hand, if I&A OSINT were not hamstrung, it would have easily identified antifa / BLM provocateur John Sullivan by his social media footprint (archive) and prevented the killing of Ashli Babbitt.
The sudden switch to another social media surveillance provider
Somebody tripped up the analysts’ work by suddenly replacing the social media exploration contractor Dataminr with CMA Technology, which was subcontracting the work to ZeroFox, starting on January 1. More suspicious was timing. The contract with CMA Technology was signed on December 30, 2020. Whoever did that certainly expected that Democrats would rule for the next four years.
The FBI/DHS officials expressed shock when they learned of the change. It should be obvious why. The differences between such products are usually huge, setup takes time, and users need training on the new product. This is like replacing a plane’s turboprop with a turbofan engine (or vice versa) and not telling the pilot.
Some FBI agents reportedly called ZeroFox ‘zerof*cks’.
The HSAG Review acknowledged (pp. 84-87, emphasis is added, square brackets are in the source):
“This investigation found that the FBI’s efforts to effectively detect threats on social media in the lead-up to January 6th were hampered by the Bureau’s change in contracts mere days before the attack. Prior to 2021, FBI contracted with the company Dataminr that used pre-defined search terms to identify potential threats from voluminous open-source posts online, which FBI could then investigate further as appropriate. Effective Jan. 1, 2021, FBI’s contract for these services switched to a new company called ZeroFox that would perform similar functions under a new system. Internal FBI communications obtained by the Committee show how that transition caused confusion and concern as the Bureau’s open-source monitoring capabilities were degraded less than a week before January 6th.”
“On Dec. 31, 2020 – the last day of the contract with Dataminr –WFO sent an email to the FBI Office of the Chief Information Officer (OCIO), stating, “[w]e have an urgent need for the Dataminr replacement to be on and active starting on 4 January in support of some potential issues in the DC area. Do you have a timeline on when you will release the new system? The sudden discontinuation is most untimely as much of our crisis response funnels through Dataminr. … After that email was forwarded to her, Moore replied, “How did the [sic] expire without a replacement firmly solidified? Is this the first notice we have gotten? Ughhh.” WFO staff then replied to Moore and stated, “Yep, had no idea this was coming. Unless they are [turning] on the replacement January 1, we’re in an unfortunate spot for next week.”
‘WFO noted that Dataminr had “allowed us to be proactive and stay aware of current events” amid violent incidents in recent months, as it allowed FBI employees to “quickly access threat reporting without needing to be an expert. Their key term search allows Intel to enter terms we are interested in without having to constantly monitor social media as we’ll receive notification alerts when a social media posts [sic] hits on one of our key terms,” and described those alerts as “crucial.” WFO raised concern about the loss of Dataminr at that moment: All field office employees working command posts and any incident are already trained on Dataminr and have access allowing immediate monitoring in the command post. In light of events of next week, WFO is concerned there will not be enough time to get all employees trained on a new tool and access by this coming week and probably not for the Inauguration…’”
“After the new contract with ZeroFox went into effect on Jan. 1, 2021, internal emails show that WFO personnel were still concerned about operability. In a January 2nd email from the WFO Intelligence Response Team to FBI-OCIO, WFO said that ZeroFox had created accounts for WFO personnel but they had not yet set up the automated searches that WFO relied on.”
Notice that the Review confuses CMA Technology (the contractor) and ZeroFox (the provider/subcontractor).
See also screenshots on these pages in the HSAG Review.
By the way, ZeroFox denies it worked with the FBI on Jan 6 (personal knowledge). In 2015, ZeroFox did, but it caught flak when it correctly flagged two BLM leaders as threat actors.
Unrelated Elephant
“[FBI Matthew] Alcoke then replied: I realize managing what the elephant sees and hears is sometimes the best way to control the elephant’s movements (that’s the bigger fed elephant, not the DD!!).” The HSAG Review, pp. 92-93.
Conclusion
“Similarly, I&A did not issue any intelligence bulletins specific to January 6th, and instead issued only high-level products in 2020 that described general threat trends nationwide.” (The HSAG Review, p.5). The intelligence collection, analysis, and dissemination by the USCP is covered in Pre-Jan 6 Intelligence.
Contents
Known threat actors and indicators of the risk of violence were excluded from the DHS analysis
The sudden switch to another social media surveillance provider
Footnotes
[1] OIG-22-29 – I&A Identified Threats prior to January 6, 2021, but Did Not Issue Any Intelligence Products before the U.S. Capitol Breach – REDACTED (dhs.gov)
Capitol Attack: Federal Agencies Identified Some Threats, but Did Not Fully Process and Share Information Prior to January 6, 2021 [Reissued with revisions on Jul. 21, 2023] | U.S. GAO, where the main document is gao.gov/assets/gao-23-106625.pdf