SAN JOSE, USA -- Peter Ekanem, Santa Clara County's top information security officer, is facing possible criminal charges for unauthorized use of his office computer and cell phone, actions that amount to security breaches.
A recent search warrant reveals, among other actions, that Peter Ekanem, 44, e-mailed internal county documents to a former colleague in Ghana, who picked them up via e-mail at an Internet cafe.
Ekanem, who is under investigation by the district attorney's office, was placed on paid administrative leave Feb. 3, leaving the county without its top expert on protecting computer systems from intruders while the nation is on heightened alert against terrorism. Among other actions that violate some of the very policies he wrote, a search warrant says Ekanem e-mailed internal documents to a former county employee in Africa.
Assistant District Attorney Karyn Sinunu said a decision about whether to file charges will be made ``shortly.'' A separate administrative review also is concluding, which may result in Ekanem's termination, county officials said.
Ekanem's absence has set back the rollout of the security policy he developed, said Chief Information Officer Satish Ajmani. But Ajmani added that the ``guiding principles'' he wrote have not changed, and an outside contractor is now implementing the plan.
Ekanem said he could not discuss his situation.
His co-workers in the information services department first raised the alarm in an internal review that ``uncovered evidence of a potential compromise of county information security,'' the affidavit states.
Ekanem has reportedly engaged in long personal calls during work hours and pursued a master's degree on county time without employer authorization. Ekanem -- one of only two people in the county to possess a written report of every weakness and vulnerability within county computer networks -- listed his county cell phone number as his contact for a property he rents in Richmond, a fact an Internet search quickly revealed.
In his own security policy, Ekanem wrote that employees should expect their e-mail to be monitored and that the county specifically forbids use of the network ``for personal profit or running a business.''
Ekanem, who is 44 and earns $106,000, also is charged with sending internal county documents by e-mail to a former colleague in Ghana, who picked them up at an Internet cafe. The documents he released by e-mail are not believed to have jeopardized the county's security, but the fact that they were sent out of the county, by the official in charge of information security, prompted the inquiry.
In his 18-month tenure, Ekanem wrote the county's information technology security policy, which set up a security system to protect the confidentiality of personal information about taxpayers, such as Social Security numbers, medical records, birth and death certificates. The 245-member department he works for supports all the county's computer networks, including data kept by the hospital, law enforcement and social services.
Where trouble began
Problems first arose early this year, when Ekanem's co-workers alerted administrators in the information services department that he appeared to be spending an excessive amount of time on personal calls. That led to a review of Ekanem's cell phone bill and his e-mail correspondence, which raised more alarms.
County officials remain tight-lipped about the case, citing employee confidentiality. But they did release a copy of one document Ekanem is said to have e-mailed to a former information services department employee, Kwaku Nsiah, while Nsiah was in Ghana earlier this year.
The two men are believed to have exchanged a series of e-mails, including discussions about the county's disaster preparedness and recovery plan.
Nsiah, a former senior information technology project manager, was fired for incompetence in May during his probationary period. One of the documents Ekanem later sent him was a highly technical report from KPMG Consulting, laying out how it would structure the county's e-government service, if awarded a contract.
One expert's view
It is rare to have a security officer lose his post for a violation of information system rules, said Kevin Dickey, chief information security officer for Contra Costa County, and an adviser to the state on security issues. Dickey, whose last job was to secure the state lottery, said he has ``no knowledge of a security person in my line of work that was suspect.''
``Simply put, the guy should have known better,'' he said. ``Security is accountability, integrity and confidentiality, so if your job is to secure those things for your organization and you compromise it -- well shame on you.''
Dean Hipwell, an information security consultant and professor of computer science at National University, said he found Ekanem's case ``surprising.''
``There are a couple of cases where a network administrator was fired by their organization and, of course, contractors are notorious for not observing the rules,'' he said. ``But I still cannot recall a security officer being placed on administrative leave.''
In August 2001, a Sutter County network administrator for the department of information technology was arrested on charges of grand theft and using a computer with the intent to defraud. The man later pleaded guilty to the charges, said the Sacramento Valley High-Tech Crimes Task Force.
Finding a new security officer is a top priority for the information services department, but filling the post will not be easy in these times of budget cuts and a countywide hiring freeze.
Ekanem was praised as highly qualified when he was hired. He received special thanks in March 2002 from the California County Information Services Directors Association for his participation in a ``Best Practices'' information security forum.
The forum was held to shore up county information systems, including telecommunications, networks and facilities, ``in light of the horrific events of Sept. 11, 2001'' and threats from terrorists and foreign and domestic Internet attacks.
Part of the policy to which Ekanem contributed includes this piece of advice: ``Protect people as well as data. Don't forget that people can make or break a policy.''