This conversation aired in the July 2, 2026 episode of Crosscurrents.
We share our personal information all the time: at the pharmacy, at school, at the insurance agency. Many of us assume someone there knows how to keep our data safe. But, rapidly evolving AI systems are raising new cybersecurity questions.
Click the button above to listen.
Q&A Transcript:
Hana Baba: So what's going on? It feels like AI and cybersecurity have been everywhere in the news lately.
NeEddra James: They really have. Mostly national headlines, but the level that matters the most for us — in terms of where AI and cybersecurity actually impact us day to day – that’s the local level.
Hana: Local level. Alright, so break it down for us. What makes cybersecurity and AI a local issue?
NeEddra: Well, before I get to AI completely, let me just say that all the really important stuff we use everyday and never really think about but totally need to function – tap water, or power systems, all of that is controlled locally.
Okay? Like, let's take Cal Water, for example. On Friday - the cybersecurity firm Mandiant confirmed they were hacked in early June. And that’s because infrastructure today is networked –
Hana: Networked — networked to what? What does that mean?
NeEddra: Oh, it just means it’s connected to the internet. It’s just online.
Of course, local agencies have been online, or networked, for decades. But, over the last 15 years or so, a lot of cities have gone even more online, technology also evolved to connect physical objects like city lights or SmartTVs to the internet.
Hana: Like water systems. Mm-hmm. Okay, so you’re talking about things like MUNI bus stops with little digital screens updating bus arrival times.
NeEddra: Yes, exactly, exactly, and in order to do that, they have to use GPS and other data together to update riders in real time, and all those programs have to talk to each other through the internet. t can be extremely convenient. I know I like to know when the bus is coming. I
Hana: I was gonna say, it’s pretty convenient.
NeEddra: Exactly, right? So, the point is though, once, something, or anyone or anything once anyone or anything is online, it's vulnerable. It’s exposed to cyberattacks. In fact, MUNI was hit with a ransomware cyberattack over Thanksgiving back in 2016.
Hana: What is ransomware, exactly?
NeEddra: Oh, so ransomware is, kind of exactly what it sounds like – it’s malicious software that locks a user out of their files and demands payment to unlock them again. You can kind of think of it as data kidnapping.
So – at Muni in 2016, some administrators and station employees got locked out of the computers. Screens were black. Just a few words in white at the top reading: You hacked. All data encrypted.
Turns out the hackers infected software related to the fare gate system. Muni had to totally change how they operated for a few days – even had to shut down the fare gates – altogether.
Hana: Mm-hmm. And did they say why that happened?
NeEddra: Well, you know, agencies tend to keep investigation details private. One detail from the Muni case stuck with me though – according to reports some computers were running old software the developer didn’t even support anymore.
Hana: Why are they running software that old? That seems like the obvious thing to fix.
NeEddra: I thought so, too. So, I took this to someone who knows a ton about this. Her name is Lan Jenson, she worked as a corporate cybersecurity specialist for a long time. She even told me she once helped the FBI track down a hacker.
Hana: Okay.
NeEddra: But several years ago, she decided to leave corporate and go into civic cybersecurity. The story of how she got there is kinda funny.
Hana: Ah, you’re gonna tell it to us, right?
NeEddra: Of course. So, she takes her kid to the optometrist one day and because she does this for work everyday, she asked him how he secured her child’s medical records. Here’s what he told her:
Lan Jenson: he said, "Hey, I... Don't worry. Our IT guy is paid to handle and to secure your child's information." And so, you know, with my background, it was like, yeah, the IT guys, uh, come to us, a specialized um, function in the organization to do it.
Hana: Okay – so NeEddra, she’s like, “I’ve worked with the FBI, sir. “
NeEddra: Right! She told me that cybersecurity is no longer something that can be left to generalists — to the IT guys — and it actually hasn’t been for a while.The threats are growing and strategies are always evolving.
So, she built a nonprofit called Cybertrust America to serve local governments and small businesses that can’t keep up with the rapidly changing threat landscape.
Hana: Why is hat a problem? What's holding local governments bacK? Especially here, in the Bay Area.
NeEddra: Yeah – but you gotta have the money to buy new tech.
You know Lan told me that in a recent national survey three out of four local governments said they just don’t have the money for even the minimum recommended level of security. Not the gold standard. The minimum.
Hana: Just the minimum. So, AI security is layered on top of that?! Adding AI to online systems that don’t even have the minimum recommended level of security?
NeEddra: I'm afraid so.
Hana: It doesn't make sense.
NeEddra: Yeah, I'm afraid so. AI does up the ante on cybersecurity in truly new ways. When I was talking to Lan, she told me cybersecurity basics stay the same – things like treating anyone trying to access an org’s network like a brand new request. They have to login with a name and password the network recognizes.
We do this too, you know? If you’re not expecting anyone to come by your place but someone rings the door bell — what do we say?
Hana: Who is it?
NeEddra: Exactly, we wanna know who it is!! We don’t just let folks in and trust that it’s cool because they rang the doorbell.
So we’re like, “call when you’re on your way. Text me when you get here.” You know? In cybersecurity, that's called zero-trust.
So, everything cybersecurity was already doing to keep bad actors out —- that stays the same.
Hana: Okay. So what changes are happening with AI and cybersecurity?
NeEddra: Well, remember, local governments are adopting AI. That means they’re adding AI – to do things like reduce tasks that are repetitive, AND process large batches of data.
In the future, more complicated programs like AI agents will just be built-in to software that cities and towns use. These programs can start and complete tasks without being prompted.They’re designed to get work done without supervision like everyone else on the team – and that’s actually the problem. Here’s how Lan explained it to me:
LAN JENSON: Consider that, uh, the AI agents as, very resourceful- right? Because they have, uh, agency. They can think on their own. It's going to be very important to be very clear about what AI agents can access and cannot. You cannot just, uh, give it a broad policy, say, "Hey, any such important decisions, you should, ask, uh, a person, a human before you do things."
Hana: Alright, so, NeEddra, wow. Okay. So, for local governments the risk is that one day an AI agent might start doing things it’s not supposed to do?
NeEddra: That’s exactly right with regards to the AI agent..
Hana: To go rogue?
NeEddra: But listen – I didn’t come hang out with you to freak you out. I don’t have evidence of rogue AI agents in any Bay Area governments.
Hana: But that, that's the fear.
NeEddra: That's a possibility, right. The point is that AI adoption changes where the cybersecurity threat is.
So originally, you know, cybersecurity wants to keep folks out. That's, that's what we're traditionally doing. You secure the perimeter, you keep the bad actors out. But an AI agent is not breaking in. The agent came to work with a badge and a lunch plan, just like you. You know what I mean?
Hana: They're already there.
NeEddra: They're already there. Um, the job becomes making sure that inside agent doesn't become a cyber threat.
Hana: Right. So a- aren't there then safety evaluations? Um, I assume cities don't just roll out AI without testing.
NeEddra: Yeah, they do. But safety assessments, safety assessments are a snapshot, you know? They show you how safe a system is at a particular moment in time. Now, one of the people I talked to about this, uh, Joe Hartman, he's a cybersecurity expert. He's been doing this work since the '90s. I love the way he put it. He compared AI s- an AI system passing an evaluation to his son passing the driver's ed test behind the wheel. Mm-hmm. Mm-hmm. He's like, "Even though he passed the test, doesn't mean he'll never get into an accident."
Right? So testing helps, but it's not enough when the circumstances, conditions, the models keep changing and the threats keep changing.
Hana: So then what are local governments actually doing?
NeEddra: You know what? They are doing pretty much what most of us do when we need help and funds are low. We ask a friend.
Yeah. Almost three years ago, San Jose put their AI policy up, um, up online, and other cities began to download it and use it as templates.
That grew into a collective called the GovAI Coalition. It launched with, uh, 50 coalition cities, and they're learning from each other.
They host weekly webinars about civic AI adoption, and Lan, who we heard from earlier she, um, actually co-facilitates the generative AI working group.
Hana: So a small city with a one-person tech team doesn't have to build a safety network from scratch? There are these other models. They can bring them in, sharing with friends, like you said.
NeEddra: They sure can. They don't have to start from scratch. They can take what they need and adapt it. Now, that does not erase the funding gap. That is real, but it's a way of meeting that gap together.
Hana: Okay. All of this is really helpful. Little scary, but mostly helpful.