You are on page 1of 19

International Journal of Intelligence and


ISSN: 0885-0607 (Print) 1521-0561 (Online) Journal homepage:

Challenging the “Lone Wolf” Phenomenon in an

Era of Information Overload

Avner Barnea

To cite this article: Avner Barnea (2018) Challenging the “Lone Wolf” Phenomenon in an Era of
Information Overload, International Journal of Intelligence and CounterIntelligence, 31:2, 217-234,
DOI: 10.1080/08850607.2018.1417349

To link to this article:

Published online: 26 Mar 2018.

Submit your article to this journal

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at
International Journal of Intelligence and CounterIntelligence, 31: 217–234, 2018
Copyright © Taylor & Francis Group, LLC
ISSN: 0885-0607 print/1521-0561 online
DOI: 10.1080/08850607.2018.1417349

none defined


Challenging the “Lone Wolf”

Phenomenon in an Era of Information

The phenomenon of individual Islamic terrorist attacks (“Lone Wolf”)

taking place in Europe, the United States, and Israel raises questions
about the ability of intelligence agencies to prevent such deadly assaults.
Dealing with unexpected attacks by “lone wolves” has been made even
more problematic by the return to Europe and the U.S. of extremists who
have received training in terrorism from the Islamic State of Iraq and
Syria (ISIS) and from other terrorist organizations based in Syria and
Iraq. The general public’s fear of terrorism remains high, while attempts
have been made, primarily by extreme right-wing politicians, to exploit
that fear for their own political advantage.1 This factor may, in turn, be
giving terrorists greater incentives to act.
Western intelligence services claim that they have significantly upgraded
their knowledge and systems for discovering and countering security
threats, and have improved their coverage of ISIS.2 Yet, the concern
is whether individual terrorists, operating in the digital age of information
overload, are identifying weaknesses in intelligence organizations and

Dr. Avnea Barnea is a research fellow at the National Security Studies Center,
The School of Political Sciences, at the University of Haifa, and lecturer on
“Counter Intelligence in Democratic Societies” in the Department of
Political Science at The Hebrew University of Jerusalem. He is the head of
the special program on competitive intelligence, corporate security,
cybersecurity, and crisis management in the MBA program at Netanya
Academic College, Netanya, Israel. Dr. Barnea is a former senior officer
with the Israeli Intelligence Community.


taking advantage of them. Is this then a new phenomenon—of the Lone

Wolf, a Black Swan3—whose attacks are almost impossible to predict and
Assessment of the effectiveness of intelligence agencies in preventing
terrorism, especially those of lone wolf’ attacks, is difficult because the
study of counterintelligence gets little scholarly attention, somewhat as a
result of exaggerated secrecy limitations. The issue then is whether
assessing the extent to which the advanced measures, developed over the
past decade in the field of information which were designed to stop
“classic” terrorist attacks, are effective against today’s type of terrorism.
I hypothesize that these advanced measures are not effective against
lone wolves.

In 1949, in the United States, Central Intelligence Agency (CIA) analyst
Sherman Kent introduced the triplicate framework within which to
consider the issue of intelligence as knowledge (information), activity
(measures to be taken), and organization (developing resources to enable
activities).4 Following Kent’s terms, counterintelligence is not just an
activity or organization but also knowledge and it is based on a solid
methodology. To Kent, the need is obvious for counterintelligence
information (knowledge) for use in taking counterintelligence measures
(activity) and for devoting resources to make these tasks happen
An early definition of counterintelligence developed in the U.S.
government in the 1950s states that counterintelligence is

the knowledge for the protection and preservation of the military,

economic and productive strength of the United States, including the
security of the Government in domestic and foreign affairs against or
from espionage, sabotage, subversion and all other (similar) illegal acts
designed to weaken or destroy the United States.6

Sherman Kent divided counterintelligence into two parts: domestic security

intelligence and foreign security intelligence. Later, counterintelligence was
divided into information control (including security clearance and security
of documents); physical security (guards systems and alarms), and area
control (border control and restricted areas). Quickly becoming clear was
that counterintelligence required mainly covert activities, such as the
detection of threats of espionage, terror, and subversion. Also involved
were investigation for finding evidence of such threatened activity and
research, which interpreted and organized the information so that it could



be properly utilized. Counterintelligence was then clearly based on the process

of the Intelligence Cycle7 with very few modifications.
After World War II, counterespionage became the focus of
counterintelligence,8 but this changed after the collapse of the Soviet
Union in 1991, and the attendant decline of espionage threats, which
marked the end of the Cold War and the beginning of the democratization
of Eastern Europe.


Since the beginning of the 21st century, and particularly after the terrorist
attacks on New York City and Washington, DC, of 11 September 2001
(9/11), the increase in worldwide terror has changed the face of
counterintelligence so that preventing terrorism has now become the major
security goal of the Western world. The United States and other Western
countries for a long time delayed the diverting of their efforts toward
counterterrorism, especially Islamic terrorism, and to building internal
cooperation among both their various intelligence agencies and with law-
enforcement organizations and legal systems. This task is still incomplete,
as such a change in focus demands constructing new intelligence
capabilities in personnel, in organizational structure, and in technologies,
including dedicated information systems.
Research has yet to come to grips with the change in focus from
counterespionage to counterterrorism.9 Most studies of counterterrorism
fail to recognize how counterterrorism intelligence issues differ from
traditional intelligence issues, and they also ignore the vital role of
intelligence in making its efforts successful.10 In fact, conducting
counterterrorism intelligence now relies heavily on targeted signals
intelligence (SIGINT), liaison relationships, document exploitation, and
interrogations—factors that have been frequently overlooked, as they are
not as important as in conventional intelligence.
While counterterrorism intelligence is mostly focused on stopping
terrorist groups and networks, some independent and other groups have
drawn strength from state sponsors,11 and a new layer of terrorism has
appeared: the “Lone Wolf” phenomenon. The regular tools used by
counterintelligence against terrorist cells cannot prevent lone wolf attacks.
The “Lone Wolf” terrorist phenomenon is enormously challenging to
counterterrorism agencies worldwide. During the past 15–20 years of
intensive combat against terrorism, capabilities for gathering huge
amounts of open source intelligence (OSINT) has led to remarkable
improvements, but they have not created enough of an advantage to
enable counterintelligence organizations to halt terrorism.



Given that the West’s principal fight against terrorism continues to be

waged in Europe, that the European Union’s (EU) objectives and
strategies have only recently received due attention in the relevant
academic community is remarkable. The EU has been approaching
counterterrorism in many ways, such as increasing the exchange of
information between police and intelligence agencies, protecting critical
infrastructure, developing external action, enacting counterterrorism
legislation, controlling European borders, and fighting against terrorist
recruitment and financing. All these actions are steps in the right direction,
but taking them earlier would have had a far greater impact.12
Notably, among the world’s nations, Israel has a long experience with
efforts at preventing terrorism, mainly internal, but also foreign. As a
result, Israel has been at the forefront of designing counterterrorism
programs since the early 1970s.13 Yet, despite having developed both
offensive and defensive modus operandi with high rates of success, Israel
has also been unable to completely prevent terrorism14


A significant number of the recent terrorist attacks carried out in France,
Germany, the United Kingdom, and other Western European countries, as
well as in the United States and Israel, belong to the pattern of “Lone Wolf.”
A “loner” or “lone wolf” is an individual who performs an act of
terrorism independently: he (and occasionally, she) is generally not part of
any organization, and sometimes acts spontaneously. Rarely sharing his
suicide intentions with others, he will sometimes leave a message of final
farewell on the Web before acting.
Recent lone wolf terrorist attacks in Europe, the United States, and Israel
can be divided into four categories, determined by the relationship that the
“loner” had with Islamic terrorist groups:

1. The individual had previously been in contact with a terrorist organization, but at
the time of committing the attack, he was not part of this terrorist infrastructure.
An example of such individual would be someone returning to Europe from the
Middle East or a refugee who had arrived after having once fought for ISIS or
other Islamic organizations in Syria and Iraq.
2. The individual had been in contact with virtual operators via the Internet, usually
through social media platforms of Islamic groups.
3. The individual had had diverse virtual connections with extremist Islamic groups
and was influenced by them, but had not received direct instruction to execute an
4. The individual had acted without any contact with extreme Islamic networks and
without anyone’s guidance, but rather was incited by his own distinctive distress.



Important to note is the opinion of many that there is no lone wolf

phenomenon,15 but rather that individual Islamist terrorists are always
linked to such terrorist organizations as al-Qaeda or ISIS. This view
contradicts a careful analysis of these attacks.
In the ongoing “Intifada of Knives” in Israel, which began in October
2015, the stabbing attacks are frequently done by lone wolves, as well as
by “classic” terrorists who are members of organized cells. In 2016, when
discussing this “Intifada of Knives,” Israel’s Chief of Staff, General Gadi
Eizencott, said: “There were no warnings about suicide stabbing attacks.
Israel faced 101 such events in the past three months, but we did not have
even one single warning.”16 The situation in Israel has not changed
substantially since then; lone wolves are a serious concern to
counterintelligence officials.


The phenomenon of “lone wolf” attacks is not new. Most political murders
in history, or attempts, were carried out by terrorists who acted alone. The
assassinations of President Abraham Lincoln, President John F. Kennedy,
Senator Robert F. Kennedy, Swedish Prime Minister Olaf Palme, the Rev.
Martin Luther King Jr., Prime Ministers Indira Gandhi and Rajiv Gandhi,
as well as the attempted murders of President Ronald Reagan and Pope
John Paul II, were carried out by lone wolves. (The assassination of
Israel’s Prime Minister Yitzhak Rabin is not included because the assassin,
Yigal Amir, had at least one partner involved in his plan.17) Another
example of a political lone wolf attack was by Timothy McVeigh who, in
1995, set off a bomb in front of the Federal Building in Oklahoma City
killing 168 and wounding hundreds. Although he received assistance from
Terry Nichols in building the bomb, McVeigh acted essentially alone from
that point on.
Recently, every jihadist terrorist attack by “lone wolves” has managed to
surprise the intelligence organizations.18 The 22 March 2017 strike in
London on the Westminster Bridge near Parliament led to four deaths,
with dozens more injured. The perpetrator, Khalid Masood, was a British
citizen and convert to Islam.
Although this is an era of increased information transparency, in which
much of what happens in the public sphere, including radical activity, is
known and shared,19 counterintelligence organizations have not usually
known about the intentions of “lone wolves.” Even when they have been
somewhat familiar with the perpetrators, the security authorities have
failed to prevent the attacks because these “lone wolves” operate on the
peripheries of Islamic religious group terrorist activity. In response to
public criticism taking them to task for their lack of success, police



officials have tended to reply that they often rely on information released by
the intelligence agencies. They claim to have difficulty receiving focused
intelligence warnings, especially about the intentions of “lone wolves,”
despite the huge resources devoted to dealing with this challenge. Britain’s
security services have revealed that, in the UK alone, they were monitoring
over 3,000 people suspected of having intentions to commit terrorist
attacks.20 This large number has raised serious questions regarding the
extent and effectiveness of the preventive measures taken by the UK’s
intelligence community.
The difficulties seem to stem from the fact that after the process of filtering
suspicious information by the intelligence agencies, many potential terrorists
fit into a broad pattern of threatening behavior with dangerous personal
profiles, but the agencies have little or no ability to focus on specific
human targets. As a result, intelligence organizations are too often
helpless. Various security programs to identify potential terrorists such as
“Contest,” used by British intelligence,21 unfortunately feature more
“noises'” than “signals,” and do not provide quality preventive intelligence.
Post-mortem analyses conducted by Western intelligence agencies after
terrorist attacks have usually brought to light information about
superficial contacts that terrorists had had with various suspicious parties,
including extreme Islamist factions. Despite this awareness, the terrorists
usually do not give specific advance warnings of their intentions and leave
the security people to react to events instead of preventing them.
A year ago, ISIS uploaded a video to the Internet called “Message to the
Lone Wolves,” urging terrorists to declare their support for ISIS, but warned
them not to be in direct contact with its known members prior to making a
terrorist act for fear of premature exposure. Likewise, Omar Hussain, a
British citizen and a key operative of ISIS in Syria, praised the “Warrior
acting alone” in the West.22


General Aharon Yariv, a former commander of the Israeli Military
Intelligence and later a Cabinet Minister, has emphasized that a key factor
in a dedicated counterintelligence organization is the prevention of
terrorism. General Yariv added that “unlike a classical battlefield, where
composition of intensive military resources can achieve a victory, targeted
intelligence is a critical factor to win against terrorism.” Yariv emphasized
that counterterrorism is based on targeted intelligence, which enables both
the stopping of attacks in time, and the damaging of the terrorist bases
and operatives that activate terrorism. He noted the importance of seeking
to prevent threats through a thorough monitoring of terrorist cell



members, including their personal connections, especially those known

individuals who tend to guide and direct such activities.23
For many years, the implicit assumption was that terrorism was carried
out in secrecy by small groups (cells), acting under exact instructions from
senior operatives who supported them by providing logistical and
operational back-up and ideological guidance. This “theory” of terrorism
asserted that the chances of the successful implementation of attack plans
were higher if they were conducted by small groups, rather than by
individuals. Terrorism, the theory claimed, relied on strong secrecy and
discipline, a variety of capabilities, absolute authority, and the ability to
make modifications in programs, including last-minute changes in selected
In meeting this goal of monitoring cell members, various dedicated
information technologies that can identify and analyze hidden connections
between terrorists and suspects, based on their actions taken in the digital
space, have been shown to be effective. For example, hidden connections
have led to the discovery of terrorists’ intentions and have thus generated
timely warnings. Notably, the chances for preventing terrorist attacks
through these technology systems have been higher when attacks came
from small terrorist cells. When one suspect was detected, it was possible
to quickly reach other suspects in the cell connected with him, usually
without his knowledge, based on information gathered from the virtual
space24 and communication devices used by the terrorist. Human
intelligence (HUMINT) gathered by means of agents’ personal contacts
has always been considered a very significant complementary factor; its
contribution was often critical in terrorist prevention, even more so than
information from technological systems.25 But HUMINT alone has had
difficulty penetrating these small clandestine cells as they are highly
While monitoring terrorist cells has been very difficult, the technological
breakthroughs made by specialized information systems have led to an
improvement in the availability of early warnings about potential terrorist
activities. Counterintelligence organizations have lately gained a significant
advantage over terrorist organizations, especially since the transition to
digital communication and the use of Big Data platforms.
Beyond extracting information passing through the Internet and high-
speed processing of large volumes of data, digital communication and Big
Data have enabled new capabilities, such as identifying complex
relationships between people and other entities (e.g., locations, vehicles,
financial transactions, bank accounts, credit cards). In turn, this has
enabled counterintelligence to discover activists directly connected to other
suspects (the “first generation”), and thereby increasing the chances of
successful counterterrorism. Digital clues about potential hazards often



on-line (and immediate), can quickly locate additional connections, isolating

those that seem suspicious and can focus on identifying individuals’
intentions to harm.
Thus, intelligence targets have been monitored through various measures to
find out more about their intentions and abilities. American National Security
Agency (NSA) intelligence officer Edward Snowden, who defected from the
United States and is now living in Russia, plainly described the tremendous
technological efforts invested in the United States and in Britain in
thwarting terrorism.26 He noted that, while intelligence gathering and
countering the actions of groups (cells) have had a “track record” of success,
there have been such few successes in identifying “lone wolf” suspects, due
to the absence of focused information. The result has often been endless
amounts of information with almost no effective operational options.
According to Snowden, no correlation was found between additional
information and the rate of the effectiveness of counterintelligence efforts.27
In addition, Snowden’s revelations, exposing the huge volume of monitoring
by the U.S. Intelligence Community on its Western allies, undermined trust
and cooperation between U.S. intelligence organizations and the European
intelligence services in their efforts to prevent terrorism.28


Developed about 20 years ago, Link Analysis is an information systems
tool29 that was originally created to facilitate a faster transfer of
information through the telecommunications infrastructure. Later, it was
adapted for other areas, such as analyzing information and building
contextual links in order to enhance human capabilities to better
understand the essence of huge volumes of information in business, mainly
in marketing, marketing research,30 and other fields requiring competitive
intelligence.31 Law enforcement organizations, including the police, also
made extensive use of Link Analysis to prevent criminal activities,
especially by organized crime. Among the leading advanced tools were
British i2 and applications made by the Israeli software company Svivot.
The Federal Bureau of Investigation (FBI) began using Link Analysis
in the late 1990s, and the British police gained a significant advantage
over criminal organizations that were stunned by the high capacity of
this tool.
The concept behind Link Analysis is the theoretical ability to perform
automatic links by mapping relevant connections between different pieces
of information through various entities without the analysis of their
content. It had already existed in the mid 1980s. But only after significant
progress within the field of digitations was it possible to apply the theory
to an operational tool. Link Analysis was implemented after the 9/11



terrorist attacks in intelligence organizations which had failed to expose and

analyze hostile networks.32 According to the official investigation committee
of the American administration,33 the NSA had received information just
prior to the 9/11 attacks about some of the hijackers and their
relationships with al-Qaeda, but failed to produce any intelligence warning
to help stop the terrorists (the terrorists had, in fact, trained in flight
schools in various locations in the United States). While the American
intelligence services had evaluated the significance of the information, they
had not followed up by mapping the links among these terrorists, so their
analysis, unfortunately, had not resulted in a clear warning. Link Analysis
systems are capable of amplifying weak signals’ threats into early-warning
operations.34 It continues to be used today for the intensive tracking of
counterintelligence targets.
With the development of Big Data systems, special information systems
have led to better abilities of particular counterintelligence organizations.
Integration of Big Data internal systems with highly sophisticated Link
Analysis capabilities seems to enhance the success rate in foiling terrorist
activities—an example is British police forces’ efforts against organized
But these automatic systems are not infallible; when they have been wrong
or did not help to target suspects, usually as a result of lack of targeted
information, failures in preventing terrorism have resulted. The November
2015 terrorist attacks in Paris that killed 130 people are a good example.
French counterintelligence had superficially acknowledged the terrorists’
threat but had been unable to recognize the relationships among the
terrorists before the attacks; its suspicions were not aroused. Had it had
such knowledge, French counterintelligence could have taken preventive
Another example of the high reliance on advanced information technology
capabilities by British intelligence occurred in 2005, after the Islamic terrorist
bombings of London’s public transportation system. The attack killed some
50 people. Only by surprise did British intelligence learn that the terror cell
that had carried out the attack had no connections with al-Qaeda. The
four terrorists involved had been influenced by British Muslim Websites
and by clerics, but had not conducted the attacks on behalf of al-Qaeda as
initially claimed by the British authorities.37 The leader of the attackers
had been under surveillance by the British counterintelligence agency, the
MI5, two years earlier, but the information collected on him did not
include his suspicious ties to the other attackers, and did not facilitate the
focus on those suspected—information that could have prevented the
attacks. Better mapping by the MI5 of the prime suspect’s connections
could have created an early-warning signal which would have resulted in
their arrest before they carried out their attack.



The “Lone Wolf” Exception

While preventing terrorist attacks initiated by networks (terrorist cells) is
highly supported by dedicated intelligence information systems, this is not
the case in the “Lone Wolf” phenomenon. When the hazards do not
originate in the classic configuration of organized terror cells, the
advantages of advanced technological tools are far more limited due to the
fact that terrorists usually do not receive instructions from an external
source. As attacks are now increasingly of the individual “lone wolf” type,
Link Analysis tools seem to have lost their power to facilitate early
detection (early warning) of threats.
Yet, these tools remain useful for investigation after the execution of “lone
wolf” attacks, in efforts to identify collaborators or other operatives
connected to the terrorists. The effectiveness of a post-mortem to help
avoid the next attack remains low, since its prime strength is to find out
more about the recent attack. The fact that ISIS has consistently claimed
responsibility for the attacks by “lone wolves” has a cognitive effect of
scaring the public, but ISIS’s claiming responsibility does not help prevent
the next attack. Regarding the July 2016 attack in Nice, the French
authorities discovered in retrospect that the terrorist driving the truck
probably had ties with jihadist elements. But this was not learned soon
enough: the perpetrator had been careful not to share his intentions with
others, and so his ties had not been considered suspect.38 German
authorities have reached similar conclusions regarding the vehicular attack
by Anis Amri, a Tunisian, in Berlin on Christmas 2016, that killed twelve
people and injured 56 others. Amri also had been careful and had not
shared his intentions with others.


Social media is a major factor in transmitting messages among people. In
social media, people are easily exposed to new ideologies, including
extremist communications of every kind. The spread of ideas and beliefs
passes at great speed from person to person. By means of dedicated
information systems, social media monitoring capabilities help to identify
people who are undergoing the processes of radicalization. Whether these
newly radicalized people are expressing mere opinions and thoughts, or if
they have actually begun acting or intend to do so is impossible to know.
The monitoring methods and models developed by social network
researchers, and the automated tools for gathering online social
information for the business sector,39 are also used to construct an
intelligence picture to help prevent terrorist recruitment and planning



The ability to predict individual acts of terror based on information

collected from the social media, as claimed by experts of these kinds of
dedicated systems, is highly questionable.41 Some intelligence organizations
claim to have identified the secret of tracking potential terrorists through
the social media, along with the claims of certain private corporations that
supply such tools to these security organizations.42 Without empirical
evidence, these claims are highly questionable, considering the complexity
of this issue. Considerable difficulty persists in not only assessing the
significance of the information flowing through the social networks, but
also in identifying concrete intentions for human behavior, and in properly
analyzing the complex texts of different languages by automated means.
These goals await a significant breakthrough.
Nonetheless, in March 2017, Nadav Argaman, Managing Director of the
Israel Security Agency (ISA), reported such a capability for identifying and
tracking suspected terrorists.43 A month later,44 more details were
disclosed. Through close monitoring of the social media in the occupied
territories, the ISA succeeded in arresting 400 potential terrorists, most of
whom were detained without a trial. The ISA is apparently combining
social media information gathered from open source intelligence (OSINT)
with its own data bases, which comprise some 2.6 million inhabitants of
occupied Judea and Samaria. Considering that the information in ISA
data bases is solid, as a result of extensive monitoring of this population
since 1967, when Israel occupied these territories, the biggest challenge is
to extract information on suspects from the social media discourse. This is
a complex undertaking with a potential for many errors. Since
implementing this new tracking system, which is quite similar to systems
already put into practice in other Western countries, including the U.S.,
UK, France, and Germany, Israel has experienced an increase in “lone
wolf” attacks, including one in April 2017 that involved the fatal stabbing
of a British student. While the ISA nevertheless claims to have reduced the
number of “lone wolf” attacks, it has not included the possible effects of
other variables that might be leading to a decrease, such as the Palestinian
society’s disappointment in the poor political results arising from the
“Intifada of Knives,” the lack of outright Palestinian public support for
these assaults, and successful counterintelligence efforts by the Palestinian
Authority’s security forces. More concrete evidence is required to evaluate
the accuracy of the claimed rate of success of the ISA’s new
counterintelligence strategy.45


During his visit to Israel, former FBI official Tim Murphy said that he would
demand that Facebook, Twitter, and the rest of the social network services



stop publishing risky content, and also ask them to identify agitators and
potential terrorists.46 This does not seem practical, as Facebook alone has
more than one billion, 200 million members, and the amount of
information it passes through its servers is endless. To perform quality
surveillance is impossible, especially when those being radicalized have
learned to hide their intentions and stay “below the radar” for fear of being
monitored by counterterrorism organizations. Murphy’s demand to
monitor suspicious information on the social networks also seems to lessen
the protective responsibility of the FBI and other counterintelligence
organizations worldwide. Counterintelligence organizations must build new
capabilities; they should not lean on social media platforms to perform the
monitoring for them. In 2015 Andrew Parker, head of MI5,47
acknowledged that terrorists and radical elements were aware of the
capabilities of intelligence organizations for social network monitoring and
were using digital tools, such as encrypted messaging software (e.g.,
Telegram and WhatsApp). Radicalized Web surfers operate with extreme
caution by hiding words and using codes. The use of these tools, known as
“Remote Intimacy,” is quite simple and available on the Internet. In fact,
ISIS encourages their use48 to recruit and lead individuals to radicalize.
Yet, the border dividing online content of religion and ideology and various
efforts to recruit terrorists or convince “lone wolves” to act is very
complicated. That someone being monitored expresses solidarity with
terrorist activities and ideology does not mean that he or she will act. In
fact, in most cases, the person probably will not act. Counterterrorism
thereby becomes much more challenging.
In the era of Facebook, Telegram, Twitter, WhatsApp, and other social
media and messaging applications, to discern the meaning of the
relationships among people and to identify networks of secret cells that
intend to act is very difficult. Would-be terrorists have changed their
methods of action and become very careful in using these open-source tools.
Counterintelligence would greatly benefit if ISIS activists who were
conducting the attacks could be identified in the social media. However,
many of the more recent attacks have been carried out by “lone wolves”
who are usually not connected to key recruiters and terrorist operatives or
to anyone. Obviously, once counterintelligence organizations succeed in
identifying an organized terrorism operator, their work is facilitated and the
variety of tools at their disposal that can be operated successfully can make
their work relatively easy. But, individual terrorists operate differently,
making many of the normal intelligence organizations’ efforts largely futile,
as they often act against suspects who actually do not cause harm.49
When the amount of information becomes enormous and continues to
expand exponentially, leading to an inability to focus on specific potential
terrorists and identify their intentions in time, the chances for success are



not high. A decade ago, a head of MI5 was interviewed about the reasons for
the failure in preventing the terrorist attacks of 2005 and 2007 in Britain. He
noted that “the security services suspect 1600 people of involvement in
terrorism,”50 making it impossible to focus on the few who eventually
carried out the attacks. British officials expressed the same sentiment after
the deadly terrorist attack on the British Parliament in London on
22 March 2017. The huge number of suspects, approximately 3000
individuals, were on the MI5 list of terrorist suspects in 2017,51 similar to
the number of targets revealed by the French internal intelligence agency
DGSI after the attack on the Champs-Elysées in April 2017,52 requires a
much broader intelligence attention than previously. It is a problem not
only of allocation of resources but of creating new capabilities to deal with
complex issues, such as tracking “lone wolves,” and working in the virtual
sphere with endless pieces of information.


The number of terrorists identified as “lone wolves” is increasing. The
dedicated intelligence information tools developed over many years to
identify potential attackers in advance have become less valid and in some
cases ineffective, since they are based on the classical modus operandi of
terrorism that is not applicable to cases of “lone wolves.” Yet, the more
that “lone wolves” succeed in their self-defined missions, the greater the
self-confidence of those considering imitating them, which in turn
frustrates the intelligence organizations and the heads of state who are
accountable for the public security.
Israel has been facing a surprising increase of “lone wolf” terrorist attacks,
with approximately 200 since October 2015. Despite its efforts, the ISA has
met with extreme difficulty in trying to prevent them—in contrast to its high
success rate with “classic” terrorist cells.
The experience in Western countries in the last 15 years shows that
responding to counter-terrorism requirements by lowering the sphere of
privacy and enlarging the power of legal authorities to treat suspects53 is
not providing the expected value. Considerable doubts arose regarding the
effectiveness of these “big moves” taken by intelligence organizations,
backed up by lawmakers. They do not seem to be leading to more effective
early-warning signals.54 Thus, the quality of targeted intelligence apparently
remains the most significant element in stopping terrorism.
Intelligence efforts that fail to provide advance warning of terrorist
attacks, including attacks by “lone wolves,”55 caused European countries
to take further steps to minimize threats, especially after the U.S. did so in
the aftermath of 9/11. While public opinion has gradually acknowledged
the importance of security, it is still unwilling to take such necessary



measures as the closure of borders, the security surveillance of suspicious

populations, the denial of citizenship to individuals of concern, and the
granting of greater immunity to security forces, because these steps would
result in a perceived reduction of freedom and human rights.
The European Union’s new privacy law, General Data Protection
Regulation,56 which was to be implemented in all EU countries by May
2018, may make even more difficult the counterintelligence activities of
collecting private information about citizens. It also will require more
cooperation among intelligence organizations. Yet, this regulation may not
help counterintelligence stop terrorism, especially by “lone wolves.” In
such cases, attacks might be prevented only by security forces in the field
whose quick reaction could thwart an attack before it was carried out.

David Bartal, “What Are You so Afraid of?,” Haaretz Weekend Supplement,
17 March 2017, pp. 56–58.
Rukmini Callimachi, “How ISIS Built the Machinery of Terror Under Europe’s
Gaze,” The New York Times, 29 March 2016, available at http://www.nytimes.
According to Nassim Taleb, The Black Swan: The Impact of the Highly
Improbable (New York: Random House, 2010), a Black Swan is an event,
positive or negative, that is deemed improbable yet has massive consequences.
Taleb shows that Black Swan events explain almost everything about our
world, and yet we—especially the experts—are blind to them.
Sherman Kent, Strategic Intelligence for American World Policy (Princeton, NJ:
Princeton University Press, 1949), p. ix.
Ibid., p. 3.
Report of the Commission on Governmental Security (Washington, DC, 1957),
pp. 48–49.
According to the Central Intelligence Agency (CIA), the Intelligence Cycle is a
closed path consisting of stages including the issuance of requirements by
decisionmakers: planning and direction, collection, processing, analysis, and
dissemination of intelligence. Available at
Roy Godson, Intelligence Requirements for the 1980's: Counter Intelligence
(New Brunswick, NJ: National Strategy Information Center, Transaction
Books, 1980, pp. 13–30.
According to the U.S. Department of State, the National Strategy for Combating
Terrorism, “Not only do we employ military power, we use diplomatic, financial,
intelligence, and law enforcement activities to protect the Homeland and extend
our defenses, disrupt terrorist operations, and deprive our enemies of what they
need to operate and survive,” available at https://2001–
wh/71803.htm. Counter-terrorism incorporates the practice used by governments
that are based on intelligence to combat or prevent terrorism.



Daniel Byman, “The Intelligence War in Terrorism,” Intelligence and National
Security, Vol. 29, No. 6, 2014, pp. 837–865
Michelle Van Cleave, Counterintelligence and National Security (Washington,
DC: National Defense University Press, 2007).
Javier Argomaniz, Oldrich Bures, and Christian Kaunert, “A Decade of EU
Counter-Terrorism and Intelligence: A Critical Assessment,” Intelligence and
National Security, Vol. 30, Nos. 2–3, 2015, pp. 191–206.
Avner Barnea, “The Unique Nature of Humint,” in Amos Gilboa and Ephraim
Lapid, eds., Israel’s Silent Defender: An Insider Look at Sixty Years of Israeli
Intelligence (New York: Gefen Publishing House, 2012), pp. 207–216.
According to a research paper published in 2005, targeted killings and preemptive
arrests in Israel, which aimed to reduce the capacity of terror organizations to
commit attacks, actually sparks estimated recruitment to the terror stock that
increased rather than decreased the rate of suicide bombings. See Edward
Kaplan and Alex Mintz, “What Happened to Suicide Bombings in Israel?
Insights from a Terror Stock Model,” Studies in Conflict & Terrorism, Vol. 28,
2005, pp. 225–235.
Daveed Gartenstein-Ross and Nathaniel Barr, “The Myth of Lone-Wolf
Terrorism,” Foreign Affairs, 26 July 2016, available at https://www.
Gili Cohen, “Eizencott: Out of 101 Knives Attacks We Did Not Have Even One
Warning,” Haaretz, 18 January 2016, available at
politics/1.2824704 (Hebrew).
Avner Barnea, “The Assassination of a Prime Minister: The Intelligence Failure
that Failed to Prevent the Murder of Yitzhak Rabin,” The International
Journal of Intelligence, Security and Public Affairs, Vol. 19, No. 1, 2017,
pp. 23–43.
Jacob Siegel, “Lone Wolves, Terrorist Runts, and the Stray Dogs of ISIS,” The
Daily Beast, 24 October 2014, available at
Sean Larkin, “The Age of Transparency,” Foreign Affairs, May/June,
2016, available at
Robin Simox, “British Counterterrorism Policy After Westminster,” Foreign
Affairs, 28 March 2017, available at
“Contest": A dedicated program by the British Intelligence for the Suppression
of Terror, which began operation in 2013, available at
Leda Reynolds, “ISIS Recruiter Uses PET CAT to Entice Youngsters to Join
Terror Group,” Express, 21 December 2015, available at
Aharon Yariv, “The Function of Intelligence in Combating Terror, ” in Zvi Ofer
and Avi Kober, eds., Intelligence and National Security (Tel Aviv: Maarachot,
1987, in Hebrew), pp. 335–346.



Andreas Golovin, “Fundamental Elements of the Counterintelligence
Discipline,” Intelligence and Counterintelligence Studies (Hauppauge, NY: Nova
Science Publishers, 2009), pp. 1–69.
Avner Barnea, “The Unique Nature of Humint.”
Glenn Greenwald, No Place to Hide: Edward Snowden, the NSA, and the U.S.
Surveillance State (New York: Metropolitan Books, 2014).
Glenn Greenwald, “Members of Congress Denied Access to Basic Information
about NSA,” The Guardian, 4 August 2013, available at https://www. See also
Thomas Eddlem, “The NSA Domestic Surveillance Lie,” The New American 22
September 2013, available at
Michelle Flournoy and Adam Klein, “What Europe Got Wrong About the
NSA,” Foreign Affairs, 2 August 2016.
Philip Klerks, “The Network Paradigm Applied to Criminal Organizations:
Theoretical Nitpicking or a Relevant Doctrine for Investigators? Recent
Developments in the Netherlands,” Connections, No. 24, 2001, pp. 53–65.
Kenneth E. Clow and Karen E. James, Essentials of Marketing Research: Putting
Research into Practice (Los Angeles: SAGE Publications, 2013), pp 145–146.
Avner Barnea, “Link Analysis as a Tool for Competitive Intelligence,”
Competitive Intelligence Magazine, July–August 2005.
John Picarelli, “Transnational Threat Indications and Warning: The Utility of
Network Analysis,” AAAI Technical Report FS-98–01, U.S. National Security
Council, 1998, available at
The 9/11 Commission Report Final Report of the National Commission on Terrorist
Attacks Upon the United States, Executive Summary, 22 July 2004, available at
Paul Schoemaker and George Day, “How to Make Sense of Weak Signals,” MIT
Sloan Management Review (Spring 2009).
Antonio Badia and Mehmed Kantardiz, “Link Analysis Tools for Intelligence
and Counterterrorism,” Proceeding, ISI'05 Proceedings of the 2005 IEEE
International Conference on Intelligence and Security Informatics, University of
Louisville, Louisville, KY, 2005, available at
Rukmini Callimachi, “How ISIS Built the Machinery of Terror Under Europe’s
Mark Townsend, “Leak Reveals Official Story of London Bombings,” The
Guardian, 9 April 2006, available at
Daveed Gartenstein-Ross and Nathaniel Barr, “The Myth of Lone-Wolf
Martin Harrysson, Estelle Metayer, and Hugo Sarrazin, “How Social Intelligence
can Guide Decisions,” McKinsey Quarterly, November 2012, available at http://



John Bohannon, “How to Attack the Islamic State Online,” Science, 17 June
2016, Vol. 352, No. 6292, pp. 1380.
Catherine Caruso, “Can a Social-Media Algorithm Predict a Terror Attack?,”
MIT Technology Review, 16 June 2016, available at https://www.
Jonathan Ferziger and Peter Waldman, “How Do Israel’s Tech Firms Do
Business in Saudi Arabia? Very Quietly,” BloombergBusinessweek, February
2017, available at
Tal Shalev, “The ISA Director Assesses that More Terrorist Attacks Will Be on
Passover,” Haaretz, 20 March 2017, available at
Amos Harel, “Israel Arrested 400 of Palestinians Suspected of Planning Attacks
after Monitoring Social Networks,” Haaretz, 16 April 2017.
An article published in Israel by Or Hirshoga and Hagar Shizaf, “Targeted
Killings: The New System to Confront Individuals’ Terror Has Been Exposed,”
Haaretz, 26 May 2017, available at
premium-1.4124379, states that most Israeli monitoring of the social media
against terrorism is done in occupied Judea and Samaria, which are under a
military regime. The majority of the suspected terrorists who are arrested are
held in prison for a long time without being brought to justice. This situation
raises striking questions as to the real effectiveness of these information systems
Nehama Doek, “There Is a Need to Kill the Head of ISIS as We Did to Bin
Laden,” Yediot Ahronoth, 29 July 2016.
“MI5 Boss Warns of Technology Terror Risk,” BBC, 17 September 2015,
available at
Thomas Tracey, “ISIS has Mastered Social Media Recruiting ‘Lone Wolf’
Terrorist,” Daily News, New York, 17 September 2015, available at http://
Some 20,000 potential terrorists were listed in MI5’s databases in 2017, while only
3,000 of them belong to the short list of extremely suspected terrorists. This may
indicate that the British intelligence community has a serious problem in focusing
on the “right” targets. Retrieved from,7340,L-
Catherine Mayer, “Outnumbered: A London Trial Reveals Why Some Terrorists
Will Always Slip Through the Net,” Time, 14 May 2005, p. 25.
John Edwards, “A Former MI5 Agent Tells Us Why It’s So Easy for Terror
Suspects Like Khalid Masood to Move Around Without Being Arrested,”
Business Insider, 23 March 2017, available at
Adam Nossiter, “Attack on Champs-Élysées Injects More Uncertainty into
French Vote,” The New York Times, 21 April 2017, available at https://www.



There are contrary opinions about whether Karim Cheurfi, the gunman killed
after he shot a policeman on the Champs-Elysées, Paris, in April 2017, was a
Lone Wolf. He had a long criminal record and spent more than a decade in
prison for the attempted murder of two policemen. Since, in February 2017, he
was already under investigation for terrorism by the French intelligence agency
DGSI he could have been stopped in time. This attack was more of an
intelligence failure.
Claire Adidia, David Laitin, and Marie-Anne Valfort, “The Wrong Way to Stop
Terrorism,” Foreign Affairs, 1 February 2017, available at https://www.
Glenn Greenwald, No Place to Hide: Edward Snowden, the NSA, and the U.S.
Surveillance State. These conclusions are the result of the information received
from Snowden, a U.S. National Security Agency (NSA) intelligence officer,
who plainly described the tremendous technological efforts in which the United
Stated and Britain had invested in seeking to thwart terrorism.
Daniel Byman, “How to Hunt a Lone Wolf: Countering Terrorists Who Act on
Their Own,” Foreign Affairs, March/April 2017, available at https://www.
According to the European Union’s new General Data Protection Regulation
(GDPR), all Internet companies that collect personal information on the
framework of their activity (e.g., Google, Facebook, cyber companies) will be
prohibited from maintaining personal information about European citizens,
and any of the limited personal information that will be stored in Europe will
be subject to European restrictions. In order to obtain personal information,
security authorities in each country will have to request specific information
about suspects. This will mark a great change to the current situation, in which
information is available only to the intelligence organizations in the United
States because the leading global companies of social media and the Internet
are based in the U.S. For further details see: