LAUSD Gives Superintendent Emergency Powers To Spend On Cyberattack Response — Without The Usual Public Scrutiny

Los Angeles Unified school board members voted unanimously Tuesday to give Superintendent Alberto Carvalho emergency powers to respond to the Labor Day weekend ransomware attack, which left many students without access to online systems for most of last week.

For the next year, Carvalho and L.A. Unified School District administrators will be able to pay for equipment, software, services or outside experts to aid in cyberattack recovery efforts — without the public scrutiny that’s typically required for such expenditures.

Normally, LAUSD administrators must hold a public bidding process and secure school board approval before moving forward with purchases or contracts.

However, Carvalho argued that following LAUSD’s normal purchasing or contracting rules — and the usual requirements for public disclosure — would unnecessarily hand an advantage to anyone still keen on breaching the district’s online defenses.

“[By] declaring through the traditional procurement process how much or what exactly we are procuring,” Carvalho said, “we are signaling both to potential contractors, as well as possible bad actors, our intention with a degree of specificity that increases our vulnerability and potential liability.”

How Will LAUSD Ensure Transparency In An Opaque Process?

Carvalho offered no estimate about how much LAUSD might end up spending using these emergency powers.

That said, Carvalho also promised to be transparent about costs. Carvalho committed to sharing monthly spending reports through December, and after that, every two months. The superintendent also left open the possibility that he’d ask the board to rescind his special powers in March 2023.

“I’m not one who necessarily believes it’s great public policy to maximize delegated authority beyond its necessity,” Carvalho said in an interview after the meeting.

Well before the ransomware attack, the superintendent had called for district-wide upgrades to the information technology infrastructure — but under the emergency authority, Carvalho said his designees would only spend money on cybersecurity.

“We will use that [authority] for crisis and emergency [response],” he said. “For longer-term picture fixes that our system may require beyond the crisis, I believe we will resume the transparent procurement process.”

The Last Time LAUSD Declared An Emergency

It was only 18 months ago that LAUSD’s board voted to end the last authorization of emergency powers.

On March 10, 2020, board members voted to give then-Superintendent Austin Beutner emergency powers to respond to the emerging COVID-19 pandemic — in large part so he could fast-track a deal to buy up some of Apple’s dwindling global supply of devices.

"We were at a point with [Apple], where they said, 'We have this much inventory left in all of the U.S. and it's at our stores. Do you want it or not?” Beutner recalled in an interview later that year.

The emergency declaration — formally approved just hours later — gave LAUSD the flexibility to finalize the purchase that, Beutner contended, the district’s normal procurement rules don’t allow.

Beutner said that avoiding this red tape was also crucial to landing an exclusive deal in fall 2020 with the biotech start-up that supplied LAUSD’s COVID-19 tests: “Start-up companies don't do business with big bureaucracies.”

In the end, the board rescinded Beutner’s emergency powers in May 2021.

How Is LAUSD’s Cyberattack Response Coming?

The only system that remains completely inaccessible to LAUSD personnel is the facilities database. Carvalho said Tuesday that the process of recovering and rebuilding that system will be “difficult and potentially expensive.”

However, scattered reports continue to pop up on social media from teachers and parents of interruptions in their access to LAUSD’s online systems for classroom files, for taking attendance and for special education records.

In theory, the only thing that stands between users and their data stored on LAUSD’s online systems was to reset their district “Single Sign-On” password.

Carvalho said last week that the district slowed down the process of resetting thousands of those passwords — for students, parents and teachers — out of concerns that the servers involved might have been compromised.

On Tuesday, Carvalho added more detail to that statement, saying that investigators had found evidence of malware that the cyber attackers had left behind that might have caused further problems had they been activated: the virtual equivalent of a “tripwire.”

However, Carvalho said Tuesday that nearly all of the district’s students had new passwords: 92% of middle- and high school students had gone through the reset process, and elementary schools had given all their students temporary passwords while on campus.

As of last Friday, Carvalho had said most of the district’s full-time employees had also managed to reset their passwords.