L.A. schools chief given rare emergency authority to deal with cyberattack
Los Angeles schools Supt. Alberto Carvalho on Tuesday received rare emergency powers to deal with the ongoing crisis caused by a massive Labor Day weekend cyberattack on the nation’s second-largest school system.
In an interview after the meeting, Carvalho revealed another element of the attack. The hackers had left behind silent, almost invisible tripwires with the potential to set off another chain of damage or compromised information, another indication of the seriousness of the breach that is under investigation by the FBI, the Department of Homeland Security and local law enforcement.
The Board of Education approved the emergency authority by the required unanimous vote. The action specifies that Carvalho for one year “may enter into any and all contracts” to obtain “materials, supplies and professional services necessary to address the emergency conditions caused by the cyber-attack.” The authority allows Carvalho to take action “without advertising or inviting bids and for any dollar amount necessary.”
Carvalho said there would be limits on what he would publicly disclose about the spending, to avoid providing a roadmap for future attacks. The ransomware attack was carried out by a criminal syndicate that has targeted educational institutions, a group that is well known to law enforcement.
“This is a transparent board that operates in a transparent way, in a very public way. However, even government and law allow for privilege when it comes to very confidential information,” Carvalho said, adding that he needed to move swiftly to put in place “necessary protective tools and measures” to recover from the attack and to prevent future ones.
Disruptions and technical delays at L.A. Unified schools are expected. The FBI and the Department of Homeland Security are helping investigate.
While schools opened as scheduled on Sept. 6, many students, parents and staff said little academic or other regular work could be done in the aftermath as not all computer systems and programs were working or accessible. The online assault was under way on Saturday, Sept. 3, when district staff noticed the intrusion and took countermeasures to head it off.
During the attack the facilities network was encrypted and taken down. District officials said they prevented a similar outcome elsewhere by shutting down other systems, then bringing them back online gradually and safely. But this process resulted in students, teachers and staff being unable to work normally.
Because the hackers compromised a significant number of passwords, officials ordered a districtwide wide reset of more than 600,000 credentials. Then technicians discovered that the password reset system was partially compromised as well — and the reset process had to slow down.
That issue has been resolved, Carvalho said, but still unknown is to what extent hackers may have been able to download information about students, such as grades, course schedules, disciplinary records and disability status.
Overall, the situation had improved considerably by Tuesday but workers and families were still reporting online glitches, disabled computer programs and inaccessible web pages.
Carvalho said 92% of middle and high schoolers have successfully changed their passwords. All elementary students have been issued temporary passwords.
Auditors were able to obtain passwords, access some Social Security numbers and persuade district staff to download potentially dangerous codes.
Board member Monica Garcia said school leaders have proved resourceful in using workarounds until systems could be fully restored.
One example was that Eastside students were unable to take advantage of dual enrollment in East Los Angeles College, a program that allows students to earn college credit and skill certificates while still in high school or even middle school. But the applications were online and the deadline approaching. Officials quickly obtained, distributed and collected paper-and-pencil forms, returning them to the college before the deadline, Garcia said.
Carvalho said he recognized that his emergency powers could raise concerns. He pledged to provide monthly spending reports with as much detail as prudent for three months and then bimonthly reports thereafter. In six months, there would be a big-picture check-in, including an examination of whether it was necessary to retain the emergency authority,
Until recently, extended emergency authority was just about unheard of in L.A. Unified, but the board took a similar course at the beginning of the COVID-19 pandemic. The superintendent at that time, Austin Beutner, operated using these powers for more than a year and they were more sweeping in nature, taking in virtually all district operations.
Start your day right
Sign up for Essential California for news, features and recommendations from the L.A. Times and beyond in your inbox six days a week.
You may occasionally receive promotional content from the Los Angeles Times.