Virginia National Guard Airmen assigned to the 192nd Security Forces Squadron, 192nd Mission Support Group, 192nd Wing help to secure the grounds near the U.S. Capitol, Jan. 13, 2021, in Washington, D.C. (U.S. Air National Guard photo by Staff Sgt. Bryan Myhr)

After the Capitol Riot, What Is Your State of Preparedness?

What happened on Jan. 6 at the U.S. Capitol had a surreal feel to it. While there were a lot of concerns and indicators that a large group of voters were not happy with the outcome of the November presidential election, there were few who would have believed it would have gone this far. And yet it did. There will be investigations upon investigations to understand what happened and how, while other investigations pursue those who participated in the attack. The outcomes will be able to help organizations review and assess against their own practices and determine if there are areas they can improve upon as well.

However, that is likely to take several weeks, if not longer. Organizations do not need to wait in order to take an assessment of what happened, how it happened, what can be gained from this incident, and what can be reinforced as established business practices. A potential mistake and an overriding issue for organizations is a belief that this should never have happened and will not happen in the future. This is a failed approach. It did happen, people and key leaders enabled it to happen, and it could happen again if the right lessons are not learned. Whether it is this type of threat, or the risk of a low probability action related to another hazard, organizations are encouraged to assess their state of preparedness for an incident and then the escalation of those events. Hoping it doesn’t happen is not the same as knowing that if it does happen that the organization is ready.

The events from that day have led to valuable and important lessons learned, which are being activity debated and investigated. An official report on findings will undoubtedly be released in the future, but the immediate lessons learned have to be reviewed now and addressed within respective organizations. It goes without saying that the Capitol, the Capitol Police, and Washington, D.C., authorities all contributed in part to the lack of effective preparedness for and response to the incident. But what does “unprepared” mean? And how can it be applied in organizational planning and preparedness? Some of the immediate important lessons learned include:

A Failure to Anticipate Potential Escalation. This is difficult to understand since the groups participating did not necessarily conceal their intentions. Consider the following:

  • Shops and restaurants had taken necessary precautions; some had been boarded up.
  • Signs have been posted along major avenues to remind passers-by about D.C.’s strict gun laws.
  • In a memo from the House of Representatives’ sergeant-at-arms, lawmakers were advised to use underground tunnels instead of public streets around the U.S. Capitol.
  • On Jan. 5, approximately 340 troops with the D.C. National Guard began to take positions around the nation’s capital.
  • Groups such as the Proud Boys and Oath Keepers were actively promoting attendance. The leader of the Proud Boys was arrested when he arrived in Washington on Jan. 4 for other charges. The group also had previously announced that the group’s members would “be incognito” and “spread across downtown D.C. in smaller teams.”
  • Pro-Trump groups organized caravans that were stopping in at least 20 cities on their way to attend the rallies in D.C.
    • The Eighty Percent Coalition filed a permit for a protest of roughly 10,000 attendees.
    • Women for America First filed a request for a permit for 5,000 protesters at Freedom Plaza.
  • A week before Christmas, Trump tweeted, “Big protest in D.C. on January 6th… Be there, will be wild!”
  • Reporting also noted that the FBI and the New York City Police Department passed information to U.S. Capitol Police about the possibility of violence during the protests.

So, the indicators were present that there was going to be an event. But there have always been events of various sizes and types on Washington. There have even been pro-Trump rallies before. They had not been violent in the past so there could have been a dismissive belief that there would be a lot of people but no different than before. Yet, this would again signal a failure to understand the dynamics. The other rallies were shows of support. However, Jan. 6 represented the certification of the Electoral College. A rally would not be enough. In order to “stop the steal” the groups would literally have to stop the process.

Two lessons:

  1. All protests are not created equal. The agencies involved failed to understand the significance of the event and were underprepared. Yes, there was planning and preparedness conducted, but not nearly enough as will be noted in subsequent items below.
  2. There was a failure to understand changes in behavior. Not only did the president support the initial rally at the White House, he even showed up and talked at it. In fact, the two most senior people, the president and Rudy Giuliani, spoke to and encouraged the crowd. In an already charged environment, words such as “trial by combat” and “march on the Capitol” could easily be construed as intentionally inflammatory expressions. To some protest participants, that meant that they would not stop until they changed the outcome of a free and fair election that had been determined by the courts and agreed upon in the Electoral College.

In these instances, the information and intelligence leading up to the event is just the first part of the effort. The indicators listed above should have been enough for an increased effort at the beginning of the event. But even so, the second part of the effort should have been in the active monitoring. This includes monitoring the activities and speeches online or through social media posts. It should be assumed that this was being done, but the critical component to understand was whether the information gained throughout this event was communicated to the leadership who could then make decisions.

  • Prior to the event, the organization should establish intelligence requirements. These represent intelligence/information for what the organization needs to know in order to be successful in whatever endeavor they specify.
  • After the requirements are identified, a series of indicators will be developed which will help identify those actions that may support that requirement.
  • Then the organization looks at ways in which they can collect that information, whether it be through online monitoring, observation from employees, or other means.
  • Then these indicators are linked to decision points and actions the organization should take.

In this instance, one of the intelligence requirements should have focused on whether the crowd could turn violent. Indicators could have included the tone of the speeches (Giuliani and Trump), mood of the crowd, weapons in the crowd, and slogans or chants of the crowd. This would have all been able to trigger a decision point to increase security. All of those indicators were present, yet the security situation did not appear to change. And unfortunately led to the second area.

The Rules of Engagement. Rules of engagement are the internal rules or directives among groups (including individuals) that define the circumstances, conditions, degree, and manner in which the use of force, or actions which might be construed as provocative, may be applied. When coordinating security, it is important that personnel know what the rules of engagement are as well as the levels of escalation.

In regard to last week’s events, this will likely not be fully understood until the formal report comes out in the coming months. However, what is clear from the videos and firsthand accounts, there appeared to be confusion about the guards’ instructions and how they were to respond to actions. There were approximately 1,500 Capitol Police deployed but they only had metal barriers to hold back the crowd, barriers which were overtaken and used by the rioters. While pictures were shown of some officers with their weapons drawn against the protesters, there are other instances in which the guards struggled with what type of response was authorized – some even just got out of the way. There appeared to be inconsistencies with how the police officers were allowed, authorized, or understood to respond.

  • What were the rules of engagement?
  • Did these vary based on location inside or outside the building?
  • Were there escalation procedures?
  • Were rules clearly communicated and understood?

For organizations, this can apply to any number of situations above and beyond protests and demonstrations.

  • How to handle unruly fans or patrons at concerts, or sporting events.
  • Customers who create a scene over the enforcement of company policies, similar to those experienced enforcing various mask or COVID procedures.
  • In response to a customer complaint that escalates their tone and behaviors. This type of process is already addressed in many organizations, but refresher training can always incorporate the latest type of customer complaint trends. It would not be difficult to visualize a customer introducing politics into the organization’s handling of a matter.

Failure to Understand the Power of Dis/Misinformation. This has application above and beyond the incident on Jan. 6. Dis/misinformation has been a topic of extensive reporting over the past year and has had an impact on public perception and understanding across a number of issues. In this incident, it was specific to the results of the 2020 election, but has also seen impacts related to COVID, and the development and effectiveness of the COVID vaccine. Threat actors have routinely targeted the public with scams and data that seek to undermine trust and confidence in processes and procedures as well as to create dissension and raise emotions. They seek to exploit human behavior for their benefit.

Even before the election, President Trump and some of his supporters have sought to undermine the results of the election with a series of unfounded accusations and statements. This included the legality of mail-in voting, the accuracy of election machines (one of the companies filed a lawsuit against one of Trump’s former lawyers for libel and damages in excess of $1 billion), that Trump didn’t just win but won in a landslide victory, among others. These individuals were so adamant about their claims that despite the cases being thrown out in courts across the country, the supporters chose to believe that massive voter fraud had occurred. Media that was friendly to the president continued to beat the drum and gave credence to these claims, senselessly debating these on programming while routinely pointing to Jan. 6 as the “be all, end all.” The rally was even given the name “Save America Rally.” What could be more patriotic and more noble a cause than saving one’s country from a national fraud? It is also of note that there are influencers and personalities who are spreading dis/misinformation related to the events at the Capitol as an “inside job” and citing numerous indicators that police allowed this to happen. Though there were some troubling police behaviors, these dis/misinformation incidents are just as dangerous.

The individuals who attended the rally had bought into the dis/misinformation. They believed they were on the “right side of history.” As can happen when looking back at critical incidents or crimes, those involved may not appear capable of such acts, even to those who may “know” them. However, by understanding the various ways individuals can be mobilized to violence or extremist ideology, there are indicators that can appear that may identify potential issues in advance. This has been a repeated issue when examining hostile events through the Hostile Event Attack Cycle. For all the individuals wearing horns and bear skin, there were also individuals from all walks of life including elected state officials, law enforcement officers, military veterans, CEOs, and others. The individuals who have been arrested after the rally included:

  • An Alabama grandfather who drove to Washington in a vehicle packed with an M4 assault rifle, multiple loaded magazines, three handguns and 11 Mason jars filled with homemade napalm.
  • A Georgia man who in the wake of the election had protested outside the home of Republican Gov. Brian Kemp. Prior to the rally, he texted several friends and relatives that he had armor-piercing ammo and had contemplated killing House Speaker Nancy Pelosi on live television.
  • Several individuals who held beliefs in QAnon, the group that believes that President Trump is fighting a secret war against elite Satan-worshipping pedophiles in government, business and the media.

Lesson Learned. This unfortunately serves as a grim reminder of the power that dis/misinformation can have. And despite repeated efforts to counter it with facts or evidence to the contrary, there is seemingly no amount of evidence that could convince someone who has bought in. And this is also a reminder that this type of dis/misinformation, coupled with inciteful comments, such as those delivered by Giuliani and Trump, gave some individuals the perceived green light to act. Once thought to apply only to religious extremist groups, the below references also include indicators that could apply to a new evolving type of extremism moving forward – one that attempts to normalize their message, give misleading evidence to support their beliefs, while claiming to only resort to violence when triggered or pushed by other violence. For example, in this particular case, there were several prominent influences or media personalities who attempted to claim that Antifa had infiltrated the crowd to encourage the violence. This was disproven.

With any event, identifying and recognizing the lessons learned are extremely important to not only continue with successful actions, but to improve upon for the future. For the riot at the U.S. Capitol on Jan. 6, there were numerous areas that could be addressed. The above items represent three areas, but there are likely to be many more that could be of significance. As noted in the sections above, some key elements include:

  1. Hold an AAR / Lessons Learned Exercise. Even if your organization was nowhere near the incident there are things that can be gained. Use the information available and discuss some of the highlighted areas. It can be broken down by key event to examine what were signs that something might occur and what did the organization do, or not do.
  2. Examine Threat Sources. Did you have the tools and information available before, during and after to make key decisions?
  3. Rule of Engagement. Do you have them? Do you need them? (Yes.) What are the situations you address? Are there others you need?
  4. Dis/misinformation. It would be important to ensure that employees and customers as well are aware of the type of dis/misinformation that exists related to your respective organization.
  5. Indicators of Extremist Ideology. Does your organization have training that addresses identification of suspicious behaviors or inappropriate attitudes and comments in the workplace? Is there a reporting process set up that allows for transparent processing?
(Visited 497 times, 1 visits today)

David Pounder is the Director, Threat and Risk Analysis at Gate 15 and serves as an Information Security Officer for a leading financial organization. He advises on both physical and cyber security issues, and specializes in counterterrorism, force protection, and counterintelligence efforts.

Leave a Reply

Latest from Counterterrorism

Go to Top
X