Q&A: Security expert says cyberterrorism is exaggerated

Computerworld - Bruce Schneier, designer of the popular Blowfish encryption algorithm, CTO of Counterpane Internet Security Inc. and renowned security expert, spoke with Computerworld Canada during his recent visit to Toronto.
What follows are some excerpts from those discussions:

Q: Do companies care more about computer security since 9/11?
A: We have not learned from the attacks, but do not be too surprised. It is true for all of society. Why should IT be different? Companies should not care any more now than they did before. They should have cared before and they should care now. But are they caring enough? No, of course not.

Q: Other experts I have spoken to disagree completely, saying they have seen a dramatic change in attitude.
A:Those who say there has been big change, look at their agenda. That is my only advice. In this industry there is a lot of impetus to pretend that there is a security watershed and everybody is doing something. If you are not doing something, then you are left out. I think we are seeing a lot of that in the industry. We see a steady increase of people caring and a huge spike in interest after 9/11, but I didn't see as much of a spike of people buying. Security was the flavor of the moment for a few months, but not any more.

Q: Why is it so hard to get companies to change their security mentality?
A:One of the problems is that there is no list a company can give a client and say "do these seven things and you will be safe." Regardless, we are putting too much faith in technology. The problems are not technology, the problems are people. We love the idea that technology will save us, but the fact is that it almost never does.

Q: A recent FBI report warned of an increased risk in cyberterrorism. What is your read on this?
A: I don't think we have seen cyberterrorism and I don't think we are going to see it for a couple of decades. It is still more complicated to use technology for (terrorist gain). The closest thing that we have had is in Australia where someone hacked into a system and dumped sewage out into a bay. If you look at what he did, it took him dozens of attempts, he barely made it work, and it didn't do that much damage. That is not terrorism.

Q: You have said that what we are seeing is not true cyberterrorism but rather cyberhooliganism. Care to elaborate?
A: