LOS ANGELES: LAUSD Gives Carvalho Emergency Power Against Cyber ​​Attacks

On Tuesday, September 13, the Los Angeles Unified School District school board granted a broad emergency power of attorney to Superintendent Alberto Carvalho to respond quickly to the recent cyberattack in LAUSD, bypassing the usual competitive bidding process required when the district contracts. to suppliers or consultants.

That hiring process, intended to provide public transparency, can be time-consuming and, in this case, could inadvertently convey to potential hackers what the district is doing.

Under a resolution the board unanimously approved Tuesday, Carvalho, or his designee, would have the authority to enter into contracts for goods or services without prior explanation or solicitation of bids in hopes of avoiding another security breach like the one over the weekend. of Labor Day. . The cyberattack forced approximately 600,000 students and staff in the nation’s second-largest district to reset their passwords.

Los Angeles County Superintendent of Schools Debra Duardo must sign off on the delegated authority plan.

The emergency power of attorney approved by the school board Tuesday is valid for one calendar year and allows the superintendent or designee to execute “certain contracts related to the investigation, remediation, and response to the cyberattack, to enable the design, development, replacement, complete restoration and/or improvements to systems, networks, and operations (“Emergency Contracts”), without advertising or solicitation of bids, and for any dollar amount necessary to respond to emergency conditions,” the resolution reads.

It also authorizes Carvalho or his designee to take “any and all actions necessary” to ensure the continuation of public education and the security of the district’s data, networks and servers.

There was no discussion by board members or public comment before the vote, although the superintendent did offer comment.

“This is a transparent board that works transparently,” Carvalho said.

But, he continued, “when it comes to highly sensitive information the disclosure of which could actually compromise the protective fabric of our district and our assets…by declaring through the traditional acquisition process how much or exactly what we are acquiring, we are pointing the finger at…possible bad actors of our intention with the degree and level of specificity that actually increase our vulnerability and potential liability. It is not prudent”.

The board would receive a monthly report for the first three months, and then a bi-monthly report, on the contracts the superintendent has signed. After six months, district officials would review whether emergency power should continue, Carvalho said.

LAUSD staff discovered that an outside party had hacked into the district’s computer systems over Labor Day weekend and immediately worked to notify law enforcement while shutting down all systems to prevent the attacker from infiltrating further. potentially sensitive or confidential information.

Carvalho said last week that the ransomware the hackers used temporarily disabled some systems, froze others and gave them “access to some degree of data,” but there was no evidence at the time that people’s health information or Social Security numbers would have been compromised.

It also appeared that payroll information was not touched, said the superintendent, who also reported last week that the district had not received a ransom demand.

A system used by the facilities department that contains information such as payments to contractors, much of which is already a public record, appeared to be the attacker’s point of entry, Carvalho said.

He told the board at its Tuesday meeting that the district was able to “identify and intercept this attack in its early stages” and was able to “disrupt not only the attack but also the critical information upload.” He said the district avoided “a much deeper and much more devastating seizure of assets and data. We were able to avoid that for the vast majority of our IT assets.” He added that officials do not believe that personal information has been compromised.

Carvalho said that while a small percentage of the district’s information may have been accessed by a third party, it still resulted in short-term and long-term “pain.”

The district’s student information system was “touched,” Carvalho said, though it’s not clear what the extent might be.

Cybersecurity experts say that just because LAUSD doesn’t have proof that sensitive information was stolen doesn’t mean it didn’t happen.

An investigation, involving the FBI and the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, is ongoing and could take months.

Meanwhile, 10 days after the district shut down its computer systems after noticing suspicious activity, not all students have reset the passwords on their school accounts, which they need to view and upload class assignments.

Because the servers used to reset passwords that were potentially compromised, the district had to slow down the password reset process, Carvalho said. As of Tuesday, 92% of middle and high school students had their passwords reset, and all elementary students and students enrolled in the district’s virtual online academies had their accounts automatically reset with temporary passwords, he said. Those in the latter group should eventually set up permanent passwords.

He also noted that the district in July declared plans to transition to a multi-factor authentication process to improve security, and officials are reviewing previous audits to determine how to best protect LAUSD’s computer systems.

Tuesday’s vote was not the first time the LAUSD school board has given emergency powers to a superintendent.

In March 2020, shortly after schools abruptly closed as the coronavirus pandemic first hit, the board gave then-Superintendent Austin Beutner similar authority, allowing him to purchase goods and services during the pandemic without going through the normal procedures that first require board approval.

The emergency authorization allowed Beutner and the district to move quickly to purchase secure student computing devices and mobile hotspots for distance learning, quickly set up a community food assistance program, provide COVID-19 testing and 19, hire staff to address the needs of students. academic needs, and to facilitate a safe reopening of schools.

The board terminated Beutner’s emergency power of attorney in May 2021.

LOS ANGELES: LAUSD Gives Carvalho Emergency Power Against Cyber ​​Attacks