Los Angeles Schools Supt. Alberto Carvalho was granted rare emergency powers on Tuesday to deal with the ongoing crisis caused by a massive cyberattack on the nation’s second-biggest school system over Labor Day weekend.
In the interview after the meeting, Carvalho revealed another element of the attack. The hackers left silent, almost invisible tripwires with the potential to trigger another chain of damage or compromised information, another indication of the seriousness of the breach, which is being investigated by the FBI, Department of Homeland Security, and local law enforcement.
The school board approved the emergency authority with the required unanimity. The lawsuit states that for one year, Carvalho “can enter into all contracts” to obtain “materials, supplies and professional services necessary to deal with the emergencies caused by the cyberattack.” The agency allows Carvalho to take action “without advertising or bidding and for any dollar amount required.”
Carvalho said there will be limits to what he would disclose publicly about spending to avoid providing a roadmap for future attacks. The ransomware attack was carried out by a criminal syndicate targeting educational institutions, a group well known to law enforcement.
“This is a transparent body that operates transparently and very publicly. But the government and the law also allow privileges when it comes to very sensitive information,” Carvalho said, adding that he must act quickly to take “necessary protective tools and measures” to recover from the attack and prevent future ones.
While schools opened as planned on September 6, many students, parents and staff said little academic or other regular work could be done as a result as not all computer systems and programs were working or accessible. The online attack was underway on Saturday, September 3 when district officials noticed the intrusion and took countermeasures to repel it.
During the attack, the facility’s network was encrypted and shut down. County officials said they prevented a similar outcome elsewhere by shutting down other systems and then gradually and safely bringing them back online. However, this process resulted in students, teachers and staff not being able to work normally.
Because the hackers had compromised a significant number of passwords, officials ordered a district-wide wipe of more than 600,000 credentials. Then the technicians discovered that the password reset system was also partially compromised – and the reset process needed to be slowed down.
That problem has been solved, Carvalho said, but it’s still unknown to what extent hackers might have been able to download student information such as grades, course schedules, disciplinary records and disability status.
Overall, the situation had improved significantly by Tuesday, but workers and families were still reporting online disruptions, disabled computer programs and inaccessible websites.
According to Carvalho, 92% of middle and high school students have successfully changed their passwords. All elementary school students have been given temporary passwords.
Board member Monica Garcia said school administrators proved resourceful in using workarounds until systems could be fully restored.
One example was that Eastside students couldn’t take advantage of dual enrollment at East Los Angeles College, a program that allows students to earn college credits and certificates of qualification while still in high school or even middle school . But the applications were online and the deadline was approaching. Officials quickly obtained, distributed, and collected paper-and-pencil forms and mailed them back to the college before the deadline, Garcia said.
Carvalho said he acknowledged his emergency powers could be a concern. He promised to provide monthly spending reports with as much detail as possible for three months, and bi-monthly reports thereafter. In six months there would be a big picture check-in, including an examination of whether it was necessary to retain the emergency authority,
Until recently, an expanded emergency agency was all but unheard of of LA Unified, but the board took a similar course at the onset of the COVID-19 pandemic. The then Superintendent, Austin Beutner, operated with these powers for more than a year, and they were broader in nature, taking over virtually all district operations.
https://www.latimes.com/california/story/2022-09-13/l-a-schools-chief-to-use-emergency-authority-in-cyberattack L.A. schools chief to use emergency authority in cyberattack