The Los Angeles Unified school board this week granted broad emergency power to Superintendent Alberto Carvalho to respond swiftly to the recent cyber attack on LAUSD, bypassing the usual public bidding process required when the district contracts with vendors or consultants.
That contracting process, meant to provide public transparency, can be time-consuming and, in this case, could inadvertently broadcast to potential hackers what the district is doing.
According to a resolution the board unanimously passed Tuesday, Carvalho — or his designee — would have the authority to enter into contracts for goods or services without first advertising or soliciting bids in hopes of preventing another security breach like the one over Labor Day weekend. The cyber attack forced roughly 600,000 students and staff in the nation’s second-largest district to reset their passwords.
L.A. County Superintendent of Schools Debra Duardo must sign off on the delegated authority plan.
The emergency power the school board approved Tuesday is valid for one calendar year and permits the superintendent or his designee to execute “certain contracts related to the investigation, remediation and response to the cyber attack, to enable the design, development, replacement, full restoration and/or improvements to systems, networks and operations (“Emergency Contracts”), without advertising or inviting bids, and for any dollar amount necessary to respond to the emergency conditions,” said the resolution.
It also authorizes Carvalho or his designee to take “any and all actions necessary” to ensure the continuation of public education and the safety and security of the district’s data, networks and servers.
There was no discussion by board members or comments from the public before the vote, though the superintendent offered remarks.
“This is a transparent board that operates in a transparent way,” Carvalho said. But, he continued, “when it comes to very confidential information whose release could in fact compromise the fabric of protection for our district and our assets ... declaring through the traditional procurement process how much or exactly what we are procuring, we are signaling to ... possible bad actors our intention with the degree and level of specificity that actually increase our vulnerability and potential liability. It is not prudent.”
The board would get a monthly report during the first three months, and after that a bimonthly report, regarding contracts the superintendent has signed. After six months, district officials would review whether the emergency power should continue, Carvalho said.
LAUSD staff found that an outside party had hacked the district’s computer systems over Labor Day weekend and immediately worked to notify law enforcement while shutting down all systems to stop the attacker from further infiltrating potentially sensitive or confidential information.
Carvalho said the district was able to “identify and intercept this attack at its beginning stages” and was “able to interrupt not only the attack but the uploading of critical information.” He said the district avoided “a much deeper and much more devastating seizure of assets and data. We were able to avoid that for the vast majority of our IT assets.” He added that officials do not believe personnel information was compromised.
The district’s student information system was “touched,” Carvalho said, though it’s unclear what the extent of that might be.
Cybersecurity experts say the fact that LAUSD may not have evidence that sensitive information was stolen doesn’t mean it didn’t happen.
An investigation involving the FBI and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is ongoing and could take months.
Because the servers used to reset passwords were potentially compromised, the district had to slow down the password resetting process, Carvalho said. As of Tuesday, 92 percent of middle and high school students had reset their passwords, and all elementary students and students enrolled in the district’s online virtual academies had their accounts automatically reset with temporary passwords, he said. Those in the latter group should eventually set up permanent passwords.
He also noted that the district in July declared plans to transition to a multifactor authentication process to improve security, and officials are reviewing past audits to determine how to better secure LAUSD’s computer systems.
Tuesday’s vote was not the first time the LAUSD school board has granted emergency powers to a superintendent. In March 2020, shortly after schools abruptly shut down when the coronavirus pandemic first hit, the board granted similar authority to then-Superintendent Austin Beutner, allowing him to procure goods and services during the pandemic by bypassing normal procedures requiring board approval first.
The emergency authorization allowed Beutner and the district to move quickly to buy computer devices and secure mobile hot spots for students for distance learning, quickly set up a food relief program for the community, provide COVID-19 testing and vaccinations, hire staff to address students’ academic needs, and to facilitate a safe reopening of schools.
The board rescinded Beutner’s emergency power in May 2021.
(c)2022 Daily Breeze, Torrance. Distributed by Tribune Content Agency, LLC.
