The URL can be used to link to this page

Home My WebLink About1796 AyersPHONE: 717-783-16,10 TOLL FREE: 1-800-932-0936 In Re: Robert A. Ayers, STATE ETHICS COMMISSION FINANCE BUILDING 0 1 W! :4 10H 6-1 g1f] LM WAJ§ JFA r File Docket: 19-040 FAGS ILE: 717-787-0806 WEBSffE: WWW.ethics.pa.gov Respondent X-ref- Order No. 179 Date Decided: 12/1/21 Date Mailed: 12/2/21 Before: Nicholas A. Colafella, Chair Mark R. Corrigan, Vice Chair Roger Nick Melanie DePalma Michael A. Schwartz Shelley Y. Simms This is a final adjudication of the State Ethics Commission. Procedurally, the Investigative Division of the State Ethics Commission conducted an investigation regarding possible violation(s) of the Public Official and Employee Ethics Act ("Ethics Act"), 65 Pa.C.S. § 1101 et �jgq., by the above -named Respondent. At the commencement of its investigation, the Investigative Division served upon Respondent written notice of the specific allegations. Upon completion of its investigation, the Investigative Division issued and served upon Respondent a Findings Report identified as an "Investigative Complaint." An Answer was filed, and a hearing was requested, A Stipulation of Findings and a Consent Agreement were subsequently submitted by the parties to the Commission for consideration, The Stipulated Findings are set forth as the Findings in this Order. The Consent Agreement has been approved. I. ALLEGATIONS: That Robert A. Ayers, a public employee in his capacity as an Information Technology Executive I for the Enterprise Information Security Office of the Office of Infonnation Technology within the Governor's Office of Administration of the Commonwealth of Pennsylvania ("Commonwealth"), violated Sections 1103(a), 1105(b)(5), 1105(b)(8), and I I 05(b)(9) of the State Ethics Act (Act 93 of 1998): (1) When he utilized the authority of his public employment and/or confidential information received through his holding of public employment for the private pecuniary benefit of himself and/or a business with which he is associated, namely Cyber Risk Services, 1,1,C and/or In Plain Sight Digital Security, LLC, when he utilized confidential information and/or his access, influence, and entree to solicit Avers, 19-040 Page 2 and/or provide information technology security services to various Pennsylvania county governments through a business with which he is/was associated; (2) When he utilized Commonwealth resources/property/equipment in furtherance of a private pecuniary benefit/gain; (3) When he utilized his access, influence, and entrde with various vendors to secure software products for resale to county governments; (4) When he engaged in business activity for the benefit of himself and/or a business with which he is associated during Commonwealth work hours; and (5) When he filed deficient Statements of Financial Interests for calendar years 2016 through 2018 when he failed to disclose income from, employment with, and/or financial interests in either Cyber Risk Services, LLC or In Plain Sight Digital Security, LLC, and filed a deficient Statement of Financial Interests for calendar year 2019 when he failed to identify the Commonwealth as a source of income and failed to include his interests in Cyber Risk Services, LLC. II. FINDINGS: 1. Robert Ayers ("Ayers") was employed by the Commonwealth of Pennsylvania ("Commonwealth") Governor's Office of Administration ("OA"), Office of Information Technology, Enterprise Information Security Office from April 8, 2008, until September 24, 2019. a. Ayers resigned from the Commonwealth on September 24, 2019, following an investigation completed by the Pennsylvania Office of State Inspector General. 2. Ayers' official title with the Commonwealth was Information Technology ("IT") Executive I within OA's Office of Information Technology. a. In this position, Ayers was determined by OA to be a public employee as defined in the Ethics Act. b. OA required Ayers to annually file a Statement of Financial Interests in his public position. C. As an employee of the Executive Branch, Ayers was subject to the Governor's Code of Conduct. 1. All employees of the Executive Branch are subject to the provisions of the Governor's Code of Conduct. Ayers, 19-040 Page 3 2. Executive Branch employees are required to annually file a Code of Conduct Disclosure form detailing, among other things, business interests and sources of income. d. The Governor's Code of Conduct includes, in part, the following prohibition: "Engage directly or indirectly in business transactions or private arrangement for profit which accrues from or is based upon his official position of authority." 3. Ayers' official duties as an Information Technology Executive 1 included the following: a. Support all aspects of IT security including information, network, physical security policies at an enterprise level. b. Develop and implement policies, procedures, and programs to ensure the confidentiality, integrity, and availability of systems, networks, and data. C. Define the scope and level of detail for security plans and policies applicable to the security program. d. Develop and implement higher level security requirements such as those resulting from laws or regulations. C. Serve as a project leader by assigning and reviewing work and performing quality control functions for the work performed by team members on the project for the duration of the security project. f. Review design strategies to determine proper interface with security systems. g. Participate in network, application, and other IT system designs to ensure implementation of appropriate systems security policies. h. Promote awareness of security issues among management, employees, and other entities Commonwealth -wide or agency -wide and ensure sound security principles are reflected in the Office of Information Technology's vision and goals. i. Provide advice and guidance in implementing information security policies and procedures in development and operation of IT systems. j. Help draft and implement policies and procedures to ensure information systems reliability and accessibility to prevent and defend against unauthorized access to systems, networks, and data. k. Create and manage incident response project plans. Ayers, 19-040 Page 4 1. Manage and provide reporting and analysis of incidents, status reporting and analyzing benchmarks and milestones to ensure incidents and alerts are triaged properly. M. Ensure that all evidence and the collection processes adhere to legal standards and that those processes are defensible in court when necessary. n. Adhere to the principals and practices of incident response and forensic investigation. o. Adhere to digital evidence collection procedures. P. Adhere to the principles and practices of effective project leadership. q. Adhere to budgetary practices and procedures. r. Adhere to the principles and practices of procurement and contracting. S. Act as incident commander for cyber-related incidents and provide direction for senior leadership. t. Testify as a subject matter expert (SME) in court proceedings for incident response and forensic investigations. U. Analyze cybersecurity incidents and forensics investigations as a subject matter expert (SME). V. Manage outsources contracts and vendors to implement related information security programs and policies. W. Provide on call and/or emergency support, including after hours as needed. X. Adhere to established service management processes and procedures. Y. Adhere to generate knowledge documents for inclusion in an established knowledge management system. Z. Perform all other related duties as assigned. 4. Ayers directly reported to Commonwealth Chief Information Security Officer Erik Avakian ("Avakian"). S. On February 1, 2016, Ayers submitted a Supplementary Employment Request form to OA to work as a consultant for Ayers Security Solutions. Avers, 19-040 Page 5 a. On the request form Ayers reported that he would provide computer security consulting. b. Ayers described the work as network intrusion assessments, network security monitoring, virus removal, and remediation and incident investigations. 1. The work Ayers listed was similar to the work he completed as a Commonwealth employee. C. Ayers described his duties with the Commonwealth on the form as incident response, forensic investigations, APT investigations, malware analysis, and Splunk manager. 1. Ayers was considered a Splunk Subject Matter Expert (SME). d. Ayers reported that the work would be performed at his home address. e. Ayers reported that he would complete six to twelve hours of work each week. f Ayers reported that he would work any day of the week and listed his work hours from 7:00 p.m. until midnight. g. Ayers answered no questions on the form pertaining to the employment creating an actual or potential conflict of interest with his Commonwealth employment. h. Ayers answered "no" to a question pertaining to whether Ayers Security Solutions would be associated with a political subdivision. i. Ayers signed the form, acknowledging that if any of the listed information changes he would be required to submit a new form. j. Ayers swore and affirmed that the information he provided contained no omission of material fact. 6. Ayers' request for supplementary employment was submitted in accordance with Management Directive 515.18. 7. Management Directive 515.1 S, which was issued on or around September 13, 2013, as amended, reads in part as follows: a. All employees who work for compensation or remuneration in any capacity outside of their Commonwealth employment, except for military duty, are required to file supplementary employment requests with their agency head or designated official who will either approve or disapprove the requests. Such supplementary employment shall include self-employment. Employees are required to resubmit requests when changing supplementary employment or whenever the duties of Ayers, t 9 040 Page 6 either their Commonwealth or supplementary employment position change substantially. b. Approval for supplementary employment must be obtained prior to accepting such employment for current employees and prior to employment with the Commonwealth for prospective employees. C. Supplementary employment is considered secondary to Commonwealth employment and any conflicts arising out of supplementary employment will be resolved in favor of the Commonwealth. Conflicts of interest in supplementary employment include, but shall not be limited to, conflict with conditions of employment established by the Executive Board (see Management Directive 525.11, Dual Employment) and, where applicable, the State Civil Service Commission; conflicts with conditions of employment, including hours of work, or regulations promulgated by the Commonwealth agency in which such employee is employed; and conflicts with other applicable laws, rules, or regulations. Commencing or continuing in supplementary employment after receipt of notice that such supplementary employment has been disapproved shall constitute grounds for discipline up to and including removal. d. Unless otherwise provided by specific agreement, the Secretary of Administration has final authority for resolving all conflict of interest disputes. e. Approval to engage in volunteer activities generally is not required. Approval of volunteer activities is required where the activity may present a conflict of interest with the employee's regular work hours, regular job duties or the mission of the agency or may affect the public's trust and confidence in the employee, the agency, or state government. Where the provisions of a collective bargaining agreement or memorandum of understanding address involvement in volunteer activities (e.g., participation in fire -fighting activities), such provisions will control. f. Approval of the Secretary of Administration is required for the following: Supplementary employment, including voluntary activities, for employees in senior level positions as defined in Management Directive 515.16, Appointment to Senior Level Positions. 2. Supplementary employment involving political activity, with or without compensation or remuneration. A search of Pennsylvania Department of State Bureau of Corporations and Charitable Organizations records confirmed that Ayers Security Solutions was never registered as a business entity. Avers, 19-040 Page 7 9. On February 29. 2016, OA Chief Counsel Julia Sheridan ("Sheridan") submitted a memorandum to OA Director of Human Resources Christopher O'Neal, approving Ayers' Supplementary Employment Request with Ayers Security Solutions. a. Sheridan included in the memorandum that Ayers' request was approved subject to the condition the supplemental employment does not interfere with Ayers' regular work hours or job performance or violate the Governor's Code of Conduct. b. Sheridan detailed in the memorandum that Ayers should be advised that annual or personal leave must be used for activity scheduled during normal Commonwealth work hours. 10. During the 2016 calendar year, Ayers began doing supplemental work for Cyber Risk Services, LLC ("CRS") as a threat analyst and/or consultant. 11. Ayers never submitted a Supplementary Employment Request to OA for approval to act as a consultant for CRS. a. In accordance with Management Directive S 15.18, employees are required to resubmit requests when changing supplementary employment or whenever the duties of either their Commonwealth or supplementary employment position change substantially. 12. Ayers was never authorized by OA to perform any supplementary employment for CRS. 13, On February 29, 2016, CRS was registered with the Pennsylvania Department of State Bureau of Corporations and Charitable Organizations as a limited liability company. a. Pamela J. Oliveira ("Oliveira") is the listed organizer of CRS. Oliveira is the domestic partner of Ayers. b. The address listed on the Pennsylvania Department of State filing was Oliveira's personal residential address. C. Ayers was not listed as an organizer or shareholder of CRS. 1. Ayers was the only individual performing any IT security consulting on behalf of CRS. 14. CRS has a website (https://cyber-risk-services.com/) to advertise services for the business. a. The website contains descriptions of services provided by CRS including end point protection, security information and event management services, network infrastructure security analysis, incident response services, employee/staff A . rs, 19-040 Page S conditioning for resiliency against malicious email messages, and various forensic services. b. Partners listed on the CRS website included Gemini Data Systems ("Gemini Data") (Koniz, Switzerland), Cofense, Phishme (Leesburg, Virginia), Carbon Black (Cambridge, Massachusetts), Splunk (San Francisco, California), Opentext/Guidance Software (Waterloo, Canada), and Access Data (Linden, Utah). 1. Gemini Data, Phishme, Cofense, and Splunk are all vendors of the Commonwealth: 2. Ayers worked directly with vendors from Gemini Data, Phishme, Cofense, and Splunk in his position with the Commonwealth and received training at Commonwealth expense on those products. C. The CRS mission statement listed on the company web page is as follows: "Cyber Risk Services (CRS), LLC offers industry leading tools, technology, and expertise to help secure our customer's information assets around the clock, at a fraction of the cost of securing these tools independently. CRS is committed to enhancing the cybersecurity workforce in small to mid -level businesses through education and service and helping to ensure their people, processes, and technology all complement one another to create an effective defense from eyber-attacks." 15. During a March 2016 County Commissioners Association of Pennsylvania ("CCAP") meeting, Avakian met with Chester County Chief Information Officer Glen Angstadt ("Angstadt"). a. The discussion between Avakian and Angstadt pertained to an apparent increase in network traffic that created a possible cyber security breach for Chester County. b. Avakian informed Angstadt that he would make his staff available to provide an assessment for Chester County. 1. The Commonwealth would complete the assessment for Chester County at no charge. 16. Angstadt emailed Avakian on March 15, 2016, to follow up regarding the conversation they had at the CCAP meeting. a. Angstadt wrote, "Erik, We discussed a potential Chester County security compromise with you at the CCAP security forum last week. You mentioned the possibility of getting assistance from your staff to assess. I would like to take advantage of your offer for a compromise assessment. Please let me know if this is possible; would like to discuss in more detail when you have some time. Thanks, GA." Ayers, 19-040 Page 9 17. On March 29, 2016, Avakian participated in a conference call with Angstadt, Chester County Security Officer William McConnell, and Chester County Deputy Chief Information Officer Alfred Sciotti. a. The purpose of the call was to discuss cyber security issues and the needs of Chester County. b. Avakian informed Angstadt that he would send Ayers to Chester County to provide assistance and conduct an assessment. 18. Commonwealth Deputy Secretary of Administration and Chief Information Officer John MacMillan confirnred to State Ethics Commission Investigators that it was the policy of OA IT Security to collaborate with County Chief Information Officers to provide cyber security assistance when requested. a. As Chief Information Security Officer, Avakian was responsible for approving the engagement with a county to offer assistance. 19. Ayers went to Chester County in May 2016, as a Commonwealth employee, to assist with a potential security breach on the Chester County network at the direction of his immediate supervisor, Avakian. 20. While meeting with Chester County officials as a Commonwealth employee, Ayers used his public position during discussions with Angstadt to advance a proposal to provide a network analysis as a paid consultant. a. Ayers proposed that he act as a consultant on behalf of In Plain Sight Digital Security, LLC ("IPSDS"). 21. Pennsylvania Department of State Bureau of Corporations and Charitable Organizations records reflect that IPSDS registered as a limited liability company on March 10, 2016. a. The listed organizers for IPSDS are CRS, LLC and MIDA Learning Technologies, LLC. b. Pennsylvania Department of State Bureau of Corporations and Charitable Organizations records reflect that Michael Speziale ("Speziale") is the organizer of MIDA Learning Technologies, LLC. 22. Speziale conceptualized IPSDS with Oliveira to provide cyber security services to school districts. a. Oliveira is the spouse of Ayers. l . In 2016, Ayers and Oliveira were cohabitating. Avers, 19-040 Page 10 b. Ayers was hired by Speziale to work as a consultant for IPSDS. 23. Speziale confirmed during a January 30, 2020, interview with State Ethics Commission Investigators that he and Ayers visited the Chester County Intermediate Unit and the Chester County IT Department in May 2016. a. This contact occurred after Ayers met with Chester County officials in his official capacity and determined that cyber security updates may be necessary. 24. Angstadt acknowledged Ayers and Speziale's visit in a May 17, 2016, email to Avakian. a. Angstadt wrote, "Erik, Wanted to reach out and express our appreciation for the commitment of Robert to Chester County. After a visit to Delco Comm College (I think), they decided to stop in our offices. They are currently working with one of our Internet provider ChescoNet on a similar outbound traffic problem. Found out they have a device that can assist our analysis and remediatinn. Bottom line is we are working together to leverage ChescoNet's equipment and your expertise. Please let him know we appreciate it... GA." 25, On May 21, 2016, Speziale provided Chester County with a Statement of Work proposal to complete the Network Traffic Analysis for Chester County, which included identifying Ayers as the IPS Lead Investigator/Principal Consultant. a. "The following is a statement of work (sow) to help identify issues existing on Chester County's computer network. In Plain Sight Security, LLC (IPS) is proud to assist your organization with assessing, identifying, mitigating, remediating, and preventing advance persistent threat malware. Through our unique approach and years of experience, using tools and techniques not available from most common anti-malware vendors. Our assessment will provide you with information about network traffic on the Chester County computer network. Outlined below is a phased approach to enabling Chester County to have a monitored, manageable, and secure information systems environment." Phase 1- Initial Exploration and Discussion "IPS's principal consultant, Robert Ayers, visited Chester County and a decision was made by Chester County to procure an assessment of the network traffic from Chester County's computer network to determine what is causing anomalous traffic patterns." Phase 2- Assessment "IPS will conduct a 7-day network traffic assessment using our network appliance. We will analyze the network traffic from Chester County in monitor only mode. Our investigation will be done on a copy of the traffic that is generated from a tap inside of the County's firewall or just before the web proxy." Avers, 19-040 Page 11 Phase 3- Monitoring "To provide the optimal monitoring results during the installation of the appliance, it is highly recommended that the client provide VPN access to the assigned lead investigator, Robert Ayers. During our assessment the appliance will email our staff about all identified critical and high alerts. If any of these alerts requires immediate action or remediation, this information will be sent to Chester County and Chesconet (with the authorization of Chester County) for responsive action (i.e. DNS block or frewall block)." Phase 4- Non -Disclosure "Before during and after our assessment, any information provided by Chester County about our means, methods, and processes will be contained in a Non - Disclosure (NDA) agreement. The NDA also specifies that IPS will NOT disclose the contents of any information identified during this assessment of the Chester County computer network to anyone NOT identified by the CIO of Chester County." Billing: "In Plain Sight Digital Security, LLC will consult and bill for services provided to Chester County at a one-time assessment fee of $5,000,00." b. Ayers requested that Chester County provide him with a virtual private network ("VPN") to complete the network analysis. 26. Speziale submitted an Internal Revenue Service Form W-9 to Chester County on May 23, 2016. 27. On May 24, 2016, IPSDS was approved as a new vendor with Chester County under ID #50434. 28. On May 25, 2016, Chester County approved a $5,000.00 requisition, #0000287419, for IPSDS to provide network analysis. 29. Ayers completed a network analysis on behalf of IPSDS for Chester County in June 2016. a. Ayers was the only representative of IPSDS working on the network analysis for Chester County. b. During a January 22, 2020, interview with State Ethics Commission Investigators, Angstadt stated that Ayers was "a one man show." 30. Ayers used a Fidelis XPS Scout device that he was able to obtain solely through his position as a Commonwealth employee to perform the network analysis for Chester County. Ayers, 19-040 Page 12 a. The Fidelis XPS Scout is a portable device used to perform network analysis. b. The Fidelis XPS Scout was loaned to the Enterprise Information Security Office as a proof of concept by Fidelis Sales Engineer Joe Kim in April 2016. C. Ayers was the only Commonwealth employee in the Enterprise Information Security Office who used the device and had exclusive access to the device. d. The Fidelis XPS Scout is described as "a set of virtual appliances designed to provide the tools necessary to gain broad network visibility for audit, assessment, and incident response teams." 31. In an April 25, 2015, email to Avakian, Ayers recommended the purchase of the Fidelis XPS Scout device. a. Ayers wrote, "Erik, Please send this on to Rosa for your discussion on additional technology that we would like to procure. This technology was not available at the time of our APT equipment purchase from Fidelis. This technology will allow us to do onsite immediate analysis without delay. It can also be used internally for our incident response and all other investigations as well." b. Ayers included in the email an attachment that described the functions of the Fidelis XPS Scout device. 1. "Reassemble, decode, and analyze network traffic in real time. Analyze all types of content no matter how encapsulated, encoded, embedded, compressed, or obfuscated. Automatically record network sessions of interest in real time. Collect rich metadata for long-term comprehensive network security analytics. Transportable hardware platform equipped with virtual bundle software. All in one form factor and pre built policies enable assessment within an hour. Full session analysis of all network traffic, protocols, and applications. Supports gigabit speed networks. The Fidelis Scout products are optimized and licensed for use in short-term assessments and investigations." 32. The total cost to purchase the Fidelis XPS Scout device is $206,790.00. The Fidelis XPS Scout device was never purchased by the Commonwealth and was used only as a proof of concept. 33. Ayers provided Chester County with a copy of the network analysis report he completed as part of his June 2016 work as an IPSDS representative. a. The network analysis report Ayers provided to Chester County was a Dashboard screenshot of a Fidelis XPS Scout report for network traffic analysis. Ayers, 19-040 Page 13 b. The Fidelis XPS Scout was equipment Ayers had access to only as a Commonwealth employee. 34. On August 26, 2016, IPSDS invoiced Chester County $5,000.00 under invoice No. 1001 for Ayers' completion of network analysis. a. The invoice was approved for payment by the Chester County Purchasing Office on September 12, 2016. b. The $5,000.00 payment was authorized by Angstadt as a professional service. 35. On September 13, 2016, Chester County TD Bank check No. 361183 in the amount of $5,000.00 was remitted to IPSDS. a. The back of the check was endorsed "Deposit to Cyber Risk Services." 36. M&T Bank account records confirmed that Chester County TD Bank check No. 361183 in the amount of $5,000.00 was deposited into an M&T Bank CRS business account on September 13, 2016. a. CRS received the entire payment from Chester County. b. Oliveira opened the CRS business account with M&T Bank on April 14, 2016. 1. The signature card for the M&T Bank account reflects the account in the name of Cyber Risk Services, LLC. 2. Account records reflect that Oliveira is listed as the sole account holder of the M&T Bank CRS business account. 37. Speziale confirmed during a January 30, 2020, interview with State Ethics Commission Investigators that he turned over total control of IPSDS to Oliveira in June 2016. a. Speziale asserted that Ayers was not available to perform the work that was required for school districts. b. Speziale claimed the business was not worth continuing with Ayers. C. On September 16, 2016, Speziale signed an agreement giving total control of IPSDS to Oliveira. 38. Ayers and CRS were not used by Chester County to provide any other cyber security related services. a. Chester County was dissatisfied with Ayers' quality of work. Ayers, 19-040 Page 14 1. Chester County Network Engineer Art Morris ("Morris") questioned Ayers regarding his report that the Chester County network was not secure. 2. Ayers could not provide evidence or documentation to support his findings. 3. Morris questioned the legitimacy of the network analysis completed by Ayers. 39. Ayers used the authority of his public position as an Information Technology Executive I to obtain a contract with Chester County for himself and a business with which he is associated, resulting in a private pecuniary gain of $5,000.00 to himself and CRS. a. Ayers' only access to Chester County officials was through his Commonwealth position. b. Ayers used equipment available only to him by virtue of his Commonwealth position to complete the terms of this contract. C. Ayers made a sales pitch to Chester County officials on behalf of his private business interests while on official Commonwealth business. d. Ayers used his public position to obtain the contract for IPSDS and/or CRS approximately three months after receiving supplemental employment approval which cautioned Ayers that any supplemental employment not violate the Governor's Code of Conduct. 40. On February 11, 2016, Bucks County Chief Information Officer Donald Jacobs ("Jacobs") emailed Avakian, seeking information about a virus found on the Bucks County network. a. Jacobs wrote, "In the last hour or so, we in Bucks County are getting hit with a strange virus. Our Trend system seems to be able to neutralize it when it finds it but we cannot get to the source. It seems to want to drop a file in the Startup folder for each user on a given computer. We have seen no adverse transactions but that is probable due to a time delay. Is anyone else seeing this? Action?" b. Avakian replied to Jacobs, "Don, we have not heard of reports of this here from the agencies but I am including Robert Ayers our incident response lead who may have questions for more information. Regards Erik." 41. On February 12, 2016, Ayers responded to Bucks County, as a Commonwealth employee, to assist with virus detection and remediation. 42. Jacobs emailed Avakian on February 12, 2016, to thank him for allowing Ayers to respond to Bucks County to provide eyber security assistance. Avers, 19-040 Page 15 a. Jacobs wrote, "Eric, I have not words to adequately express my appreciation for your allowance for Bucks County to leverage Robert Ayers and his incredible talent. Unfortunately for you, friend, he has wet our appetite for what you all can do. I may be begging you to help me build and pitch the argument for stronger tools here, such as Splunk, to which we have looked in recent weeks. Many, many thanks. If I could put a letter of commendation and appreciation in Robert's file myself, I would do it. And I'd love to do it for you too, for having seen our need and enabling this engagement. Best regards, Donald Jacobs." b. Avakian replied on February 12, 2016, "Thanks for the feedback Don. We're happy to be able to assist!" 43. On July 7, 2016, Avakian completed an Employee Performance Review for Ayers covering the period of April 1, 2015, through April 1, 2016. a. Under comments under Section 6, Work Habits, Ayers was commended for assisting counties with malware or virus issues. b. Avakian wrote, "Robert has recently volunteered to assist numerous counties who have experience issues related to malware, virus infections, or other malicious activity and received praise related to his assistance and leadership in the diagnosing and remediation of the issue they had. A recent example; I have no words to adequately express my appreciation for your allowance for Bucks County to leverage Robert Ayers in his incredible talent. Don Jacobs, Bucks County CIO." C. Avakian denied to State Ethics Commission Investigators of having any knowledge of Ayers using his contact with Bucks County as an opportunity to obtain cyber security consultant work for CRS. 44. On January 6, 2016, Bucks County approved a $42,000.00 contract with Donald Brennan & Associates for the 2016 calendar year. a. Donald Brennan & Associates provided IT programming services, including web base design, application programs OnBase, SQL and NET services. b. Donald Brennan & Associates provided technical services pertaining to UNIYS Clear Path system and Legacy Government solutions. Donald Brennan & Associates maintained the Bucks County mainframe system. d. Donald Brennan ("Brennan") is the owner of Donald Brennan & Associates. 45. Following Brennan's completion of the work under the 2016 contract, Bucks County had funds that remained unused. Ayers, 19-040 Page 16 a. Jacobs contacted Brennan about the unused funds on the contract and directed that Brennan contract with Ayers/CRS for the balance of the contract. b. Brennan had no business relationship with Ayers/CRS prior to the direction from Jacobs. 46. In the fall of 2016, Brennan met with Jacobs, Ayers, and Oliveira at the Bucks County IT Office to discuss Brennan's subcontract with Ayers/CRS. a. Jacobs instructed Brennan to pay CRS and Ayers from the remaining Bucks County funds he received for the 2016 calendar year from October 2016 until January 2017. b. Brennan agreed to pay Ayers and CRS directly from funds he received from Bucks County. c. Jacobs was familiar with Ayers/CRS only through services provided by Ayers through his employment with the Commonwealth. d. Jacobs' direction to Brennan to utilize Ayers/CRS circumvented standard Bucks County purchase procedures. 47. Invoice records of Bucks County confirmed that every invoice submitted by Donald Brennan & Associates from November 2016 through January 2017 included "Cyber Risk For Consulting and System Analysis Services Regarding Network Support." a. Each invoice referenced Bucks County Purchase Order 14296, Brennan's original Purchase Order with Bucks County. 48. From November 2016 until January 2017, Donald Brennan & Associates received $28,840.00 in payments from Bucks County. 49. Brennan paid Ayers/CRS. $18,920.00 from November 2016 until January 2017 from payments he received from Bucks County for cyber services directed by Jacobs. 50. Brennan received two invoices from CRS in October 2016 and November 2016. a. CRS submitted invoice No. 1003 on October 27, 2016. 1. The invoice detailed that twenty (20) hours of work was completed. 2. Ayers was on site at the Bucks County IT office on October 20, 2016, from 10:00 a.m. until 5:00 p.m. 3. The invoice detailed the remaining thirteen (13) hours were completed remotely. Avers, 19-040 Page 17 4. The invoice did not detail the amount to be paid. b. The description of work completed by CRS and Ayers on invoice No 1003 included: "Installed Sbox POC server. 1. Installed Cisco Splunk app & configured. 2. Installed InfoBlox Technology AddOn to enable log processing by Splunk. 3. Imported archived syslog data from syslog server InfoBlox & Cisco ASA; Configured settings in Splunk enabling the following sources to receive logs a. Cisco ASA. b. InfoBlox. Configured custom Cisco dashboard. Configured custom InfoBlox dashboard. Worked with agency staff to configure InfoBlox and Cisco ASA to send their logs to the Splunk Server. 4. Identified that in order to enable syslog traffic from Websense Serve that a module would have to be installed. This was previously identified during the last security incident. The information and links to install this Websense Multiplexer module will be provided to the county Websense SME. 5. Created custom Splunk dashboards to dynamically identify what machines were making random DNS queries. 6. List of machines generated -making dynamic DNS queries created to further research the root cause. 7. Met with Agency (DCIO) & election staff to discuss election night plans and failover methods should network issues occur." c. The second CRS invoice (No. 2004) was submitted by CRS for the week ending November 1, 2016. 1. Ayers invoiced Brennan for fifty-five (55) hours of work completed. 2. The invoice reflects Ayers was on site at the Bucks County IT Office on October 28, 2016, for five (5) hours. 3. Ayers claimed that he worked the remaining fifty (50) hours remotely. 4. The invoice did not include the total amount to be paid. d. The description of the work on the invoice included the following: Ayers, 19-040 Page 18 Network Appliance Assessment. Configured appliance to us a feed from the Websense Appliance. a. Removed sensor and extracted data. b. Removed Gigamon Tap. c. Extracted & archived logs for import. 2. Detailed metadata collection from Network Collector. 3. Discussed finding from Collector Data. 4. Identified many internal IP addresses making random DNS queries. Agency staff indicated they would investigate local and provide the results. Discussed blocking UDP port 53 at the firewall for all except internal IT staff, domain controllers, InfoBlox No final determination made. 5. Additional scans of machines identified during the assessment. Reports to be provided to county on scan results. 6. Met with Agency (DCIO) to discuss scan results and step to move forward 7. Discussed Sbox POC & Outlier POC. Sbox Server will be onsite next week." 51. Ayers used Commonwealth equipment in furtherance of his subcontract with Bucks County. a. Ayers included the removal of a Gigamon Tap device on the CRS invoice (No. 2004). b. The Gigamon Tap device, including accessories, was purchased by the Commonwealth on April 14, 2015, from Pomeroy Technologies in the amount of $12,761.84. C. The Gigamon Tap device is described as "A network TAP (test access point, sometimes also called an ethernet TAP) is an external monitoring device that mirrors the traffic that is passing between nodes. A network Tap is inserted at a strategic point in the network or public and private cloud to monitor specific data. Network TAP technology provides access to the traffic required to secure, monitor and manage your network infrastructure continuously and efficiently. The network TAP sits between tow endpoint devices. Then traffic is seen and copied, providing visibility into the networked traffic. Network TAP's capture data and forward it to another device for aggregation, filtering and monitoring of traffic intelligence. It maintains no data or logs as it just passes traffic." d. The Gigamon Tap device is a portable device that is stored within a briefcase. e. As an Information Technology Executive 1, Ayers had exclusive access to the Gigamon Tap device, and he kept the device in his workspace. Ayers, 19-040 Page 19 52. CRS M&T Bank account records confirm that $18,920.00 in payments were deposited from a Well Fargo Bank account between November 9, 2016, and January 11, 2017. a. Wells Fargo Bank account records document that the account was maintained by Donald Brennan and Barbara Brennan. 53. The chart below reflects payments made to CRS/Ayers from Donald Brennan & Associates as a result of the subcontract directed by Jacobs. a: Transaction Memo/Transaction Date Type Information Amount Acet Demand 11/9/2016 Deposit Wells Faro DDA to DDA $4,900.00 M&T Demand 12/20I2016 Deposit Wells Faro DDA to DDA $5,270.00 M&T Demand 1/11/2017 Deposit Wells Faro DDA to DDA $5,750.00 M&T Sure Pay Wells Fargo Sure Pay & 1/11/2017 1 Deposit Assoc In $1,500.00 M&T Sure Pay Wells Fargo Sure Pay & 1/11/2017 Deposit Assoc In $I,500.00 M&T Total $18,920.00 b. Brennan paid CRS $18,920.00 directly from payments he received from Bucks County. C. The payments made to Ayers/CRS by Brennan occurred as a result of security consulting services provided by Ayers for Bucks County. 1. Ayers secured the security consulting services with Bucks County through his employment with the Commonwealth. 54. While serving as a subcontractor for Bucks County, Ayers used and/or attempted to use employees to fulfill the terms of his contract. a. In a November 30, 2016, email, Bucks County Enterprise Manager Bernard Tomczak ("Tomczak") contacted Jacobs and Bucks County Deputy Chief Information Officer Nancy Horvath to report his frustration with Ayers using Tomczak to personally enrich himself. b. Tomczak wrote, "I am going on record here with both of you that I work for the County not Robert Ayer's consulting firm. I don't appreciate being used after hours to assist him with enriching himself at my and County expense. I want to make sure that my teams after -hour response efforts are for major issues only, for obvious reasons. If he has needs he should utilize county resources during our normal business hours and understand that we have County projects and priorities that may limit our response to his contracted support. If that conflicts with his primary Ayers, 19-040 Page 20 employment as a PA State employee then he needs to reevaluate that commitment and the one he made with the County of Bucks. You can tell him this or I will, you're choice. Ben." 55. While serving as an advisor to Bucks County as a Commonwealth employee, Ayers used his public position to secure a subcontract with Bucks County for himself and/or CRS, a business with which he is associated, resulting in a private pecuniary gain of $18,920.00. a. Ayers was only able to secure the subcontract with Brennan as a result of his public position and interaction with Bucks County officials. 56. In or about February 2018, Ayers and Jacobs again discussed CRS contracting with Bucks County to provide cyber security consulting. a. Jacobs informed then Bucks County Chief Operating Officer Brian Hessenthaler ("Hessenthaler") in February 2018 that he intended to hire Ayers as a consultant. b. Hessenthaler advised Jacobs that hiring a Commonwealth employee to perform work for Bucks County was "not a good idea." 1. Hessenthaler questioned how a Commonwealth employee could work for Bucks County at the same time. 2. Hessenthaler did not provide a written memorandum to Jacobs instructing him not to hire Ayers as a consultant. 3. Hessenthaler assumed after speaking to Jacobs that he would heed his advice not to hire a Commonwealth employee to provide services for Bucks County. 57. Jacobs went against the advice of Hessenthaler and contracted with Ayers to provide cyber security consultant work for Bucks County. a. During an interview with State Ethics Commission Investigators, Jacobs asserted he hired Ayres and CRS to save Bucks County money. b. Jacobs also admitted that, "Yeah I ****** up. I should have listened to him right off the bat." 1. Jacobs referenced his initial conversation with Hessenthaler when Hessenthaler advised him that hiring a Commonwealth employee to provide services for Bucks County was a bad idea. 58. CRS was required to obtain liability insurance to work as a contractor for Bucks County. a. All the actions to secure liability insurance were done by Ayers. Ate, 19-040 Page 21 b. On February 8, 2018, Ayers emailed Joseph Rumer ("Rumer") of the Rumer Financial Group to inform him that he would need liability insurance for a potential client. 1. The potential client Ayers referenced was Bucks County. C. Ayers wrote, "Joe, Just reaching out again, we didn't get the contract last time so the insurance wasn't required. But now we are in need of this insurance once again for a potential client. I'm working on filling out the app now. You should have it momentarily. Thanks Robert." d. Ayers included an attached application for liability insurance in his February 8, 2018, email to Rumer. e. Oliveira completed the application for insurance and signed the document. f. On February 13, 2018, Ayers emailed Rumer to inform him that Bucks County was waiting on proof of insurance. 1. Ayers wrote, "Let me know as soon as you get them Bucks County is waiting for the proof of insurance. Thanks Robert." g. After reviewing the insurance application, Rumer emailed Ayers on February 13, 2018, to inquire who would be providing the cyber security services. 1. Rumer wrote, "Robert, is it you or Pam that is providing the services? Thanks. Joe,,' h. Ayers replied to Rumer on February 13, 2018, to inform him that he and Oliveira would be providing services for CRS. 1. Ayers wrote, "We both are involved. I do the onsite reports and meetings and the log analysis. She focuses on and I training recommendations based on the analysis results." 2. Ayers acknowledged his participation in coordinating onsite meetings, reports, and log analysis. 3. Ayers completed all the cyber security consultant work for Bucks County as the virtual Chief Information Security Officer. Avers, 19-040 Page 22 i. Rumer replied to Ayers on February 13, 2018, to inquire about CRS' annual gross revenue. 1. Ayers replied to Rumer on February 13, 2018, "$100,000 max $250,000." j. On February 17, 2018, Ayers emailed Rumer to follow up on the liability policy. l . Ayers informed Rumer that he had Statements of Work ("SOWs") waiting. 2. The SOWs referenced by Ayers were with Bucks County: 3. Ayers wrote, "Joe, Any update? We have pending SOWIRSs waiting. Thanks, Robert." k. On February 19, 2018, Rumer emailed Ayers a copy of a liability insurance proposal with USLI. 1. Ayers replied to Ruiner on February 19, 2018, and inquired if the insurance proposal was comparable to what Jacobs had when he was a contractor. 2. Ayers wrote, "Do all of these coverages amount meet or exceed the requirements for Bucks County? Are they similar to what Don had? Don was a contractor for Bucks County. Without having that other proposals in hand and based on your experience, do you think that they will comparable in cost? Thanks, Robert." 3. Rumer informed Ayers that Jacobs used USLI as his insurance provider. 4. Rumer further wrote, "Yes, this is the same company Don had. I haven't been Bucks County's requirement in a few years now, but these limits were acceptable back then and should be fine now as well. The other rates will most likely be pretty similar. Chubb is usually a little higher." 1. Ayers selected USLI to provide liability coverage for CRS. 59. On February 23, 2018, CRS obtained liability insurance through USLI. a. The liability insurance included commercial general liability, automobile liability, and technology professional liability. b. The total liability insurance premium was $100,000.00. C. The certificate was provided to CRS on March 1, 2018. Ayers, 19-040 Page 23 60. On March 13, 2018, Oliveira submitted an Internal Revenue Service form W-9 to Bucks County. a. CRS was listed as the business. b. Oliveira's signature is affixed to the form W-9. C. Ayers is the principal consultant of CRS and was the only representative of CRS that provided cyber security work for Bucks County. 61. From February 2018 until April 2018, Ayers/CRS performed cyber security consultant work for Bucks County without a contract. a. CRS was paid by Bucks County under IT professional services. 62. CRS first invoiced Bucks County on March 7, 2018, for work completed from February 7, 2018, until March 7, 2018, under invoice No. 03072018-1. a. CRS billed Bucks County a total of $6,000.00. b. The work detailed on the invoice included the following: l . Initial implementation of S-Box Server. 2. Voice support during incident 2/7-3/7. 3. Forensic acquisition of 3 Bucks County hard drives identified during the incident as patient zero. 4. Custom dashboard for identification of malicious activities during the incident. 5. Ongoing support/recommendations to IT staff on suggested changes and how to implement them. 63. The March 7, 2018, CRS invoice included the implementation of a Gemini S-Box Server. a. Gemini Data provided a proof of concept for Bucks County in March 2018. 1. Ayers communicated directly with Gemini Data Sales Representative Julia Yueh ("Yueh") to obtain the proof of concept for Bucks County. 2. Ayers met Yueh through his employment with the Commonwealth. b. S-Box Servers are secure hardware devices that allow for the installation of Splunk security software. Ayers, 19-040 Page 24 1. Splunk is a security information and event management (STEM) solution that enables security teams to quickly detect and respond to internal and external attacks, to simplify threat management while minimizing risk. C. Ayers provided a proof of concept with Splunk to coincide with the Gemini Data proof of concept. 1. Ayers received training on the use of Splunk through his Commonwealth employment. 64. On March 16, 2018, a $6,000.00 payment to CRS was approved by Bucks County. a. Jacobs authorized payments to multiple IT contractors and vendors including CRS. b. Bucks County uses Wells Fargo Bank as its depository. 65. CRS was issued a Bucks County Wells Fargo Bank check (No. 359413) on March 16, 2018, in the amount of $6,000.00, 66. CRS' M&T Bank account records reflect that on March 26, 2018, Bucks County check No. 359413 was deposited into the account. a. The check was endorsed by Oliveira. 67. On March 28, 2018, CRS invoiced Bucks County for work completed from March 7, 2018, through March 28, 2018, under invoice No. 03282018-1. a. CRS billed Bucks County a total of $4,800.00. b. The work performed by Ayers on the invoice included the following: 1. Support and log analysis for DOS SQL & PowerShell events, custom dashboard creation, Server Ram Capture and analysis, of Virtual server, COB fax server RAM analysis. 2. Voice support during incident 3-7 through 3-28, Onsite support, Meeting 3/38/2017 5.5 hours. 3. Forensic investigation of 3 Bucks County hard drives- All three devices not involved with original incident. 4. Log analysis for "mining site," connectivity from County computer. 5. Ongoing support/recommendations to IT Staff on suggested changes and how to implement them. CIS 20 Security Control discussion on how to fill gaps. Ayers, 19-040 Page 25 C. Ayers charged for onsite support on March 28, 2018, in Bucks County while he was simultaneously being compensated by the Commonwealth. d. Ayers, alone, completed all of the work for Bucks County identified in Invoice No. 03282018-1. 68. On April 6, 2018, Bucks County approved payment of CRS Invoice No. 03282018-1. a. CRS was issued a Bucks County Wells Fargo Bank check (No. 359413) in the amount of $4,800.00 on April 6, 2018. 69. CRS' M&T Bank account records confirm that Bucks County check No. 359413 was deposited at the Pittston -Bypass M&T Bank branch (2 Rachael Drive, Pittston, PA 18640) on April 10, 2018. a. The Pittston -Bypass M&T Bank branch is .6 miles away from Ayers' residence. b. The check was endorsed by Oliveira. 70. Ayers emailed the CAS invoice to Jacobs on May 1, 2018, for work completed for the period of March 29, 2018, through April 17, 2018, under invoice No. 05012018-1. a. CRS billed Bucks County a total of $8,160.00. b. The work performed by Ayers on the invoice included the following: 1. Support and lag Analysis for DOS/SQL & PowerShell events, custom dashboard creation, sysmon log analysis of server, docprodaap 01 as possible "initial infection vector" for lateral movement, server ram capture and analysis. 2. Voice support during incident 3-29 through 4-17. 3. Onsite support meeting 4/12/17, 4.5 hours. 4. Remote investigation VPN 4/17 PowerShell script analysis docprodaap0l malware analysis "3333," "5555," connectivity from county computers. 5. Ongoing support/recommendations to IT staff on suggested changes based on analysis continuous log analysis 4/17. 6. Carbon Black POC installation, configuration, and deployment up to 100 clients. doeprodaap 01-result analysis. 7. IML locator support call- IML logs are now being collected by Splunk. Avers, 19-040 Page 26 C. Ayers completed all of the work for Bucks County as the principal consultant for CRS. 71. Ayers' emailing of the invoice to Jacobs created a delay in the approval process. a. Bucks County Network Engineer Scott Wilson ("Wilson") emailed Ayers on May 21, 2018, regarding the delay in payment. 1. Wilson wrote, "Hi Robert, Look at the attachment, it's the start of documenting Carbon Blacks and Splunks need at the county. Also regarding invoice with Don, what was it for and how much. Sending to him only is probably not the best way to get paid. I will talk to my office mate about better submission, this is his role. Ron Keaser BA for IT. Been busy as all get out this morning, do we need to rap about anything else?" 72. On .Tune 29, 2018, Bucks County approved an $8,160.00 payment to CRS. a. CRS was issued a Bucks County Well Fargo Bank check (No. 366822) in the amount of $8,160.00 on June 29, 2018. 73. CRS' M&T Bank account records reflect that the Bucks County check (No. 366822) was deposited on July 3, 2018, at an M&T Bank ATM in Dallas, Pennsylvania. 74. On May 23, 2018, Ayers emailed Jacobs and Wilson a copy of a "Cyber Security Roadmap" for Bucks County. a. Ayers wrote in the email, "Don, Scott Take a look at this. Regards, Robert." b. Ayers included the following attachment titled "Bucks County Cyber Security Roadmap." Bucks County Cyber Security Roadmap CIS assessment tool CIS -CAT This tool will assess the Bucks County Environment, including workstation, servers and other critical assets. It will provide the baseline reports to create the initial risk footprint. Presently, Vulnerability, Assessment and Remediation are listed as the number 4 CIS control. The reports provided by the CIS -CAT tool can then be used to correct the identified issues and will serve as a roadmap moving forward on a continuous basis. This will show progression of remediation activity on the identified devices. The results of this first scan will be collected in Splunk as a baseline of that footprint. This along with other collected data including Windows event Ayers, 19-040 Page 27 logs, sysmon logs, and other device logs as appropriate will build the overall snapshot of security in Bucks county, this snapshot will reveal other critical events that occur daily on Bucks County assets which right now are not being addressed in a manner that will aid in the prevention of future malicious activity by early detection prevention and remediation. Splunk Presently Bucks County does not have an enterprise SIEM system, (Security Incident Event Management). This is a log collection and information correlation software package that runs on a Gemini Server. Bucks County is presently doing a POC of the Gemini server running the Splunk software package. Splunk has been identified as a leader by Gartner and is located the upper right quadrant in the category of SIEM technologies. Presently, SIEM is listed as the number 6 CIS controls and defined as a Maintenance, Monitoring and Analysis of Audit logs. Splunk provides a full suite of solutions oriented toward SIEM that allow users to grow into the platform over time, including Enterprise Security, (ES) User Behavior Analytics, (UBA) and also supports Azure AD Azure ADFS as well as 0365 email functionality. Log auditing is not presently being done in the Bucks County environment. Gemini Gemini servers are purpose built server appliance designed specifically for the Splunk software package. The Gemini operating system is a protected operating system that requires little to no maintenance on the underlying operating system and provides a user friendly interface to manage Splunk. The Gemini OS manages the patching and updating of the Splunk software package. Presently the following log sources are being collected; Cisco ASA Firewall, DC (domain controller) events logs, domain Active Directory logs, Trend AntiVirus logs, sysmon logs from the domain controllers as well as workstations that have been identified as having been involved in malicious activity. It is also installed on many of Bucks County application servers including the servers involved in the PowerShell incidents as well as the devices being monitored by the Carbon Black POC. The docprodappl server's IML application service is being monitored for troubleshooting the shutdown problems it has been having. The Carbon Avers, 19-040 Page 28 Black POC is a cloud solution that has identified and prevented many malicious events in the Bucks County environment. Carbon Black Carbon Black is a next generation endpoint solution that offers the identification and prevention of malicious activity, it provides a detailed view into the activities of the endpoint. Our present AV solution Trend is not meeting our needs due to the lack of detail surrounding the events it identifies and does not offer any more detail at our existing license level. Our present AV package does not offer logging, or in-depth analysis of the events that it identifies. The Carbon Black POC is not bound to any current purchasing procurement. If Bucks County decides to procure the Carbon Black solution, quotes will be provided for requested number of endpoints. Moving for►vard These solutions together will provide a complete solution and will offer Bucks County a more secure Cyber Security environment then presently exists today. This solution can be managed by Bucks County in its entirety or as a managed security service. Cyber Risk Services LLC would be willing to provide these services to Bucks County at previously discussed consulting rates, specifying the maximum number of hours through the end of 2018. This contract could also span multiple years. Gemini will supply hardware support for the life of the contract and Splunk will provide software support as necessary. Cyber Risk Services will act as the conduit for this support and would be included in above services. Quotes have been provided to Bucks County for the purchase of Splunk and the Gemini server solution. Those quotes provided were for 20 GB (gigabyte) and 40 GB (gigabyte) per day respectively. The quotes included all of the hardware (servers) required to run Splunk and included the storage to hold that amount of logs. The quote also included the Splunk Enterprise Security Application. This is the component of Splunk that delivers most of the security monitoring capabilities, includes prepackaged security specific related queries, visualizations and dashboards, as well as its own case management, workflow and incident response capabilities. All of this will provide that data in a "Single Pane of Glass" which offers a real-time view into the Cyber Security status of Bucks County. 75. On July 13, 2018, Ayers emailed Jacobs and Wilson a contract proposal from CRS to provide cyber security services. Avers, 19-040 Page 29 a. The title of the proposal was "Subject Matter Expert (SME) Professional Services Quote." b. The proposal included five hundred (500) hours annually at $140.00 per hour, or forty-two (42) hours monthly and ten (10) hours weekly. C. Ayers wrote, `Bucks County SME Professional services quote Total hours annually, 500 @ $140.00 per hour. That breaks out to 42 hours monthly and 10 hours weekly. Hours do not expire weekly or monthly but will expire at the end of the 12 month period following the approval of the agreement. The hours can be utilized in the management and maintenance of Splunk, the management and maintenance of Carbon Black. The present workload will be continued using the minimum of 10 hours a week for the minimum total of 40 hours per month. If necessary the hours can be increased accordingly to accommodate the workload. If the total number of hours exceeds 500 during the agreement period, the additional hours will be billed at the rate of $140.00 per hour. Any work exceeding the number of agreement hours over 500 will require Bucks county approval prior to beginning the hourly work. In addition to the items listed above, the hours can be utilized for the following tasks; Incident Response and Assistance. Phishing Assessment services utilizing Bucks County Phishme accounts. Vulnerability Assessment scanning. Forensic investigations." 76. On September 21, 2018, Ayers and CRS submitted the same proposal to Bucks County Business Analyst Ronald Keaser ("Keaser"). a. The proposal was submitted on CRS letterhead and contained the services incident response and assistance, phishing assessment services, vulnerability assessment scanning, and forensic investigations. b. The proposal included the same hourly rate of $140.00 per hour and 500 hours annually. 77. On September 24, 2018, Sectri, a cyber security provider, submitted a proposal to Keaser for services similar to those outlined by Ayers. a. The quote detailed $250.00 per hour to provide incident response, phishing assessment, and vulnerability assessment scanning on an as -needed basis. b. The proposal included the same services outlined in the CRS proposal. The hourly rate was $110.00 more an hour than the proposed hourly rate Ayers submitted to Bucks County, 78. On September 27, 2018, GHA Technologies, a cyber security provider, also submitted a proposal to Keaser. Ayers, 19-040 Page 30 a. The proposal detailed $250.00 per hour to provide incident response, phishing assessment services, vulnerability assessment scanning, and forensic investigations. b. The proposal contained the same services outlined in the CRS proposal. C. The hourly rate was $110.00 more than the proposed hourly rate submitted by Ayers. 79. On October 3, 2018, Jacobs submitted a memorandum to the Bucks County Commissioners, explaining the agreement with CRS and formally requesting approval for CRS on the October 17, 2018, Commissioners Agenda. a. Jacobs wrote, "To the Administration: Please accept this memorandum as an explanation for an agreement with Cyber Risk Services. CyberRisk Services will provide professional services to the County of Bucks for cyber security. These services include: incident response and assistance during an attack, phishing assessment, vulnerability assessment, scanning, forensic investigations, as well as management and maintenance of Splunk and Carbon Black security components. In a meeting between the COO, the Chief Clerk, the Solicitor, Purchasing, and IT was determined that these purchases all fall within regular purchasing laws, and county purchasing policies. IT has received three quotes for these services as stated in the purchasing policies. This request is for consideration on the October 17, 2018 Commissioner Agenda. If there are any questions please do not hesitate to contact me." 80. Jacobs did not disclose to the Bucks County Commissioners that Ayers, a Commonwealth employee, would be providing cyber security services for Bucks County. 81. During an October 17, 2018, Bucks County Commissioners meeting, CRS was approved for a $70,000.00 contract to provide cyber security services, including management and maintenance of security components. a. The term of the contract was from November 1, 2018, through October 31, 2019. 82. Ayers never submitted a supplemental employment request to obtain approval for this outside employment. a. Ayers was able to secure this contract as a result of his prior assignments as a Commonwealth employee to provide assistance to Bucks County. b. Ayers utilized skills and expertise obtained through his public position to secure the contract. 83. CRS invoiced Bucks County on November 28, 2018, for cyber security services that Ayers completed. Avers, 19-040 Page 31 a. Bucks County was billed $9,520.00 for sixty-eight (68) hours of work. b. The invoice reflects that Ayers provided the following services: 1. Pre -election assessment of infrastructure/traffic. 2. Splunk work PhishMe/Firewall/AD/Sysmon logging. 3. Century Link Log Analysis Investigations- Inbound RDP connections - multiple Servers. 4. Carbon Black Defender monitoring and analysis. C. Ayers was the only CRS representative completing any of the cyber security work for Bucks County. 84. On November 26, 2018, Ayers, a principal for CRS, emailed Keaser to inquire about obtaining electronic payments from Bucks County for CRS. a. Ayers wrote, "Ron Do you have a contact that we can call to get. The requirements for electronics vendor payments for CRS? Thanks, Robert." b. Keaser replied to Ayers, "Including Rick Brodbeck- this is his area of expertise." C. Bucks County IT Business Manager Richard Brodbeck ("Brodbeck") replied to Ayers on November 26, 2018, "Hello Robert, You will have to fill out a form from the Controller's Office to set up your ACH account with us. I have CC'd the Deputy Controller Kim Doran on this e-mail so she can send you the form to fill out. Thank you." d. On November 26, 2018, Ayers completed the Bucks County authorization for Automated Clearing House ("ACH") transfer form. I . Ayers included his business email address. 2. The form reflects the email address allows for notification of an ACH payment. 3. Ayers listed the CRS M&T Bank account on the form. 4. Oliveira's signature is affixed to the form even though the contact address is Ayers' address. C. The ACH authorization form was approved by Bucks County Controller Kim Doran. f. After November 26, 2018, all payments made to CRS by Bucks County were electronic transfers. Ayers, 19 040 Page 32 85. Bucks County approved a $9,520.00 payment to CRS on December 7, 2018. a. The payment was for services listed on the November 28, 2018, CRS invoice. 86. CRS' M&T Bank account records confirm that a $9,520.00 direct deposit from Bucks County was credited to the account on December 10, 2018. 87. On December 22, 2018, CRS invoiced Bucks County for cyber security services that Ayers completed for Bucks County. a. CRS billed Bucks County $5,600.00 for thirty (30) hours of work. b. The invoice reflects Ayers provided the following services: I. Installation and updating of Splunk applications. 2. Splunk Work- Server Incident Analysis, DWJ reports and alert creation, top bandwidth workstation, and server identification, new server Splunk software installation and configuration, prep work for server migration. 3. Splunk work Carbon Black Integrations. 4. Century Link Log Analysis Investigations Inbound & Outbound Firewall log ingestion dashboard creation. 5. Carbon Black defender installation, newly identified at risk workstations, Monitoring and Analysis. 6. Splunk Forwarder installation, Sysmon installation, on newly identified Workstation based on CenturyLink logs. C. Ayers was the only CRS representative to complete any services for Bucks County. 88. Bucks County approved a payment of $5,600.00 to CRS on January 18, 2019. 89. CRS' M&T Bank account records detail that a $5,600.00 direct deposit from Bucks County was credited to the account on January 22, 2019. 90. On January 28, 2019, CRS invoiced Bucks County for 40 hours of work completed by Ayers. a. CRS billed Bucks County $5,600.00 for 40 hours of work. b. The invoice detailed the following services completed by Ayers: 1. Installation and updating of Splunk applications, Splunk work- Server Incident Analysis, DWJ reports and alert creation, top bandwidth Ate, 19-040 Page 33 workstation and server identification, new server Splunk software and configuration, prep work for new server migration. 2. Splunk work Carbon Black integrations. 3. Century Link log analysis investigations. 4. Inbound outbound firewall ingestion, dashboard creation. 5. Carbon Black defender installation, newly identified at risk workstations, Monitoring and analysis 6. Splunk forwarder information, Sysmon installation on newly identified workstations based on Century Link logs. C. Ayers was the only CRS employee completing any work for Bucks County. 91, On February 15, 2019, Bucks County approved a payment of $5,600.00 to CRS. 92. CRS' M&T Bank account records reflect that a $5,600.00 direct deposit from Bucks County was credited to the account on February 19, 2020. 93. The chart below reflects payments that Bucks County made to CRS for cyber security consultant work Ayers provided from March 2018 through February 2020. Transaction Check Type No. Memo/Transaction Amount Acet Credited Payee Check Deposit 359413 De osit $6,000.00 M&T 3/26/18 CAS ATM Check Deposit Check Deposit 360560 Pittston $4,800.00 M&T 4/10/18 CRS ATM Check Deposit Check Deposit 366822 Dallas $8,160.00 M&T 7/3/18 CRS County of Bucks AP Direct Deposit NIA Pa ment $9,520.00 M&T 12/10/18 CRS County of Bucks AP Direct Deposit NIA Pa ment $5,600.00 M&T 1/22/19 CRS County of Bucks AP Direct Deposit N/A Payment $5,600.00 M&T 2/19/19 CRS County of Bucks AP Direct Deposit— N/A ..Payment $38,280.00 M&T 3/4/19 CRS County of Bucks AP Direct Deposit— N/A Payment $9,800.00 M&T 3/18/19 CRS County of Bucks AP Direct Deposit— N/A Pa meat $7,700.00 M&T 4/8/19 CRS County of Bucks AP Direct Deposit N/A Pa meat $5,600.00 M&T 5/13/19 CRS County of Bucks AP Direct Deposit N/A Pa went $11,200.00 M&T 6/17/19 CAS County of Bucks AP Direct Deposit N/A Pa went $5,220.00 M&T 7/22119 CRS Ayers, 19-040 Page 34 County of Bucks AP Direct Deposit N/A Payment $5,600.00 M&T 8/12/19 CRS County of Bucks AP Direct Deposit N/A Payment $5,600.00 M&T 9/3/19 CRS County of Bucks AP Direct Deposit N/A Payment $3,780.00 M&T 9/15/19 CRS ATM Check Deposit Check Deposit 403476 Shavertown $6,720.00 M&T 1/3/20 CRS County of Bucks AP Direct Deposit NIA Payment $6,160.00 M&T 1/21/20 CRS County of Bucks AP Direct Deposit N/A Payment $5,600.00 M&T 2/18120 CRS Total $150,940.00 94. All of the $150,940.00 in payments Bucks County issued to CRS were related to cyber security consulting provided by Ayers. a. Ayers was able to secure these contracts only as a result of assistance he provided to Bucks County as a Commonwealth employee. b. Ayers had no connection to Bucks County before being assigned by Avakian to provide assistance as a Commonwealth employee. C. Ayers never sought supplemental employment approval, which concealed his contracts that in part were completed during Ayers' Commonwealth work hours. d. Many contacts Ayers had with Bucks County officials occurred during his Commonwealth work hours. C. Ayers completed all of the cyber security work for which Bucks County was invoiced. 95. Ayers' contracts with Bucks County were the result of Ayers' direct contact with Bucks County officials in the performance of his Commonwealth position as an Information Technology Executive 1. 96. Bucks County severed the business relationship with CRS and Ayers in February 2020 after commencement of the State Ethics Commission investigation. 97. Gemini Data is an infrastructure solution that enables the user to deploy, scale, manage, and explore data across hybrid infrastructures in one centralized interface. a. Gemini Data allows for the "plug and play" of Splunk software. 98. While a contractor for Bucks County and still a Commonwealth employee, Ayers emailed two Gemini Data S-Box quotes to Jacobs on May 1, 2018. a. Ayers included three attachments in the email, including a Gemini Data product description and two purchase quotes. Avers, i 9-040 Page 35 1. Both quotes included the purchase of three Gemini Data appliances and a three-year license and service support. 2. The first quote was for $66,597.00 and the second quote was for $49,948.00. 99. Ayers included the recommendation to purchase Gemini Data S-Boxes in his "Cyber Security Roadmap" he provided to Jacobs and Wilson on May 23, 2018. 100. On October 3, 2018, Jacobs provided a separate memorandum recommending that the Bucks County Commissioners approve the purchase of Gemini Data hardware. a. Jacobs wrote, "To the Administration: Please accept this memorandum as an explanation for the service engagement with Gemini Data. Gemini Data provides professional services and packages everything needed into accomplish this in a locked down appliance which is required to run the Splunk software. Due do the nature of the Splunk software and functions that it performs it must run on a separate dedicated platform, which requires and allows no intervention from the IT staff. The use of this item is another building block in our layered security strategy. A meeting was conducted between the COO, the Chief Clerk, the Solicitor, Purchasing, and IT and it was determined that this purchase all fall within regular purchasing laws and county purchasing policies for professional services. This request is for consideration on the October 17, 2018 Commissioner Agenda. If there are any questions, please do not hesitate to contact me." 101. Jacobs made the recommendation to approve the purchase of Gemini Data hardware based on Ayers' recommendation as the Chief Information Security Officer for Bucks County. 102. During an October 17, 2018, Bucks County Commissioners meeting, CRS was approved for a $70,000.00 contract to provide cyber security services including management and maintenance of security components. a. The terra of the contract was from November 1, 2018, through October 31, 2019. 103. During the same October 17, 2018, Bucks County Commissioners meeting, a $73,261.44 contract was approved with Gemini Data to provide hardware required to run cyber security software. a. The term of the contract was from November 1, 2018, through October 31, 2021. b. Bucks County purchased two S-Box appliances from Gemini Data at a cost of $24,420.48 paid annually for three years. C. Ayers recommended that Bucks County purchase the Gemini Data S-Boxes as part of his "Cyber Security Roadmap" provided to Bucks County on May 23, 2018. Ayers, 19-040 Page 36 104. Ayers became a reseller of Gemini Data products at the same time he recommended that Bucks County purchase the Gemini Data S-Box appliances. a. Yueh emailed Ayers on July 16, 2018, to inquire if he already had a contract with Bucks County. 1. Yueh requested to have Ayers provide Gemini Data products to Bucks County as a reseller. 2. Yueh wrote, "Robert, Do you already have a contract with Bucks and Berlcs? Want to see if they can buy Gemini through you, on your contract with them. That would take away a lot of procurement issues for me. I'm trying to not have to go through ANOTHER reseller that would just want margin for passing paper. Julia." 3. Gemini Data agreed to pay Ayers a 10% commission after the first payment of $24,420.48 was received from Bucks County. b. Ayers knew Yueh from his employment with the Commonwealth. 1. Ayers used Gemini Data products in his Commonwealth position. C. Between January 11, 2018, and June 6, 2019, Ayers engaged in 184 telephone calls with Yueh. I. Every one of those calls occurred during Ayers' Commonwealth work hours. 105. Bucks County made a payment of $24,420.48 to Gemini Data on February 22, 2019. 106. Following the payment by Bucks County to Gemini Data, Ayers emailed Gemini Data Accounting Manager Tressa Wells ("Wells") on February 28, 2019, to inquire about the commission payment. a. Ayers wrote, "I have been advised that the Gemini invoice has been paid. Here is the information. The check was paid on 2/22/2019, check #3 82776. Can you let me know when Gemini will be releasing the commission check for CRS. Thanks Robert." 1. Wells replied to Ayers on February 28, 2018, "Thank you for your help on this. I will let you know when I receive it Tressa." Ayers, 19-040 Page 37 107. On March 11, 2019, Ayers again emailed Wells seeking the commission payment. a. Ayers wrote "Tressa, just checking on the status of our commission check. Regards, Robert." 108. Ayers emailed Wells a third time on March 19, 2019, to follow up regarding the commission payment. a. Ayers wrote, "Tressa, Checking up on this. Can you tell me when the commission will be paid for the Bucks County Gemini Sale to CRS? As identified below Bucks County has verified that Gemini was paid. Thanks Robert." b. Wells replied to Ayers on April 8, 2019, "Hi Robert, We just received the check from Buck County on Friday. You will be paid for your commission on Friday. Thank you Tressa." C. On April 23, 2019, Ayers emailed Wells to inform her that he had not received the check from Gemini Data. 1. Ayers wrote, "Tressa, Just confirming that the commission check was mailed. We have not received it yet. Please verify the address it was mailed to." d. Wells replied to Ayers on April 29, 2019, "My apologies, let me look into. Please send me your bank details, so I can replace the check with a wire. Thank you Tressa." e. Ayers replied to Wells on April 29, 2019, "1 believe the amount should be $2,442.00. The bank is M&T Bank NA. CHIPS/ABA 0555 Swift code MANTUS33 Routing #022000046 Account Name Cyber Risk Services LLC." f. Ayers followed up again regarding the commission payment on May 2, 2019, "Tressa, Just following up, has the transfer been completed? Robert." 109. CRS' M&T Bank account records reflect that on May 2, 2019, a wire transfer of $2,442.00 was made from Gemini Data. a. The $2,442.00 amount was 10% of the $24,420.78 payment made by Bucks County to Gemini Data. 110. On May 15, 2019, Wells emailed Ayers to request a copy of an Internal Revenue Service Form W-9. a. Ayers emailed the W-9 to Wells on May 17, 2019. b. Ayers did not list his name on the W-9 form he provided to Gemini Data. Avers, 19-040 Page 38 1. The name listed on the W-9 form was Pamela Oliveira. 2. Oliveira's residential address was listed on the W-9 form provided to Gemini Data. 111. At the time Ayers was serving as a reseller of Gemini Data products, he had not sought supplemental employment approval to be employed as a reseller of Gemini Data products. a. Ayers would not have been approved as a reseller to an entity he provided consultation services to as a Commonwealth employee. 112. In addition to facilitating the Bucks County purchase of Gemini Data S-Boxes, Ayers facilitated the purchase of Splunk software by Bucks County. a. Ayers detailed his recommendation of Splunk in his "Cyber Security Roadmap" he submitted to Wilson on May 23, 2018. b. Ayers was considered a Splunk Subject Matter Expert (SME) by the Commonwealth and Bucks County. 1. Ayers gained knowledge of and regularly used Splunk software as a Commonwealth employee. C. Splunk is used as a Security Information and Event Management (SIEM) solution that provides insight into machine data generated from security technologies such as network, endpoint, access, malware, vulnerability and identity information. 113. On .tune 6, 2018, Carahsoft Technology Corporation ("Carahsoft") Senior Territory Manager John Howton ("Howton") emailed CDW-G Account Manager Lisa Rivers ("Rivers") to forward estimates for the purchase of Splunk directly to Ayers. a. Howton wrote, "Good afternoon Lisa, Attached are 4 Splunk quotes for Bucks County. Please confirm receipt and upon building out your pricing, please send your quotes to Robert Ayers, a consultant working with the county who will present the options to them. His info is below. Robert Ayers [email address redacted]. Please let me know if you have any questions at all." b. CDW-G is an authorized participating dealer of Splunk through Carahsoft. 1. Carahsoft acts as a wholesaler, and CDW-G acts as a distributor. C. Rivers emailed the quotes to Ayers in his capacity as the CRS principal providing services to Bucks County. I . Ayers was responsible for recommending and the implementation of eyber security software and hardware in is his position as the Chief Information Security Officer. Avers, 19-040 Page 39 2. Ayers secured this position after providing services to Bucks County in his position as a Commonwealth employee. d. On June 6, 2018, four Carahsoft quotes were provided to Bucks County for the purchase of Splunk Enterprise and a Splunk education services unit. 1. The first quote was for $13,800.04, which included the purchase of Splunk Enterprise Standard Success Plan-20 GB/day and four education service units. 2. The second quote was for $42,268.92, which included two Splunk Enterprise Standard Success Plan-40 GB/day and four Splunk Enterprise service units. 3. The third quote was for $27,780.04, which included one Splunk Enterprise Standard Success Plan-40 GB/day with four education service units. 4. The fourth quote was for $20,964.47, which included two Splunk Enterprise Standard Success Plan-20 GB/day and four education service units. 114. On July 2, 2018, Splunk Sales Engineer Sandy Leon ("Leon") emailed members of the Bucks County Information Technology Department to schedule a WebEx meeting to demonstrate Splunk. a. Leon confirmed in the email correspondence that Splunk was working with Ayers. b. Leon wrote, "Good morning Bucks county team, I have not had the pleasure of meeting you all; my name is Sandy Leon. I am a Sales engineer with Splunk>, teamed up with Account Mgr, Rich Gallagher. We are working with Robert Ayers, and would love to show you the value of Splunk via a webex Demo. I would show you the Splunk app for Windows Infrastructure as well as Enterprise Security. I know you are familiar with Enterprise Security, so I have only included a "bit" on the infrastructure app. The Splunk App for Windows Infrastructure gives you deep visibility into the health and performance of your Microsoft Windows Server and Active Directory environments. It includes components that let you monitor system, server, network, and printer availability. It includes modules which allow you to monitor other aspects of your Windows network, including: Microsoft Windows Server (through the separately available Splunk Add -on for Windows) Microsoft Windows Server Active Directory (through the included Splunk Add -on for Active Directory suite). Use the Splunk App for Windows Infrastructure to: Identify infrastructure problems, such as non -running services and load issues Ayegrs, 19-040 Page 40 Monitor the performance of all servers throughout your Windows environment Monitor security events, such as virus outbreaks and anomalous logons Track and Audit administrative changes to the environment Including Group Policy Changes and Elevated Privilege changes Plan for capacity expansion Thank you!" C. Leon scheduled the Webex demonstration on July 11, 2018. 115. On July 6, 2018, Howton emailed Rivers with an updated Splunk quote for Bucks County. a. Howton wrote, "Good afternoon Lisa, Attached is an updated Splunk quote for Bucks County PA, Please Build your pricing and send to Robert Ayers ravers eyber-risk-services.com. Please let me know if you have any questions at all." 116. On July 13, 2018, Ayers forwarded the updated Splunk quote provided by Rivers to Wilson via email. a. Ayers wrote, "Here is the 60gb quote we discussed for comparison." b. The quote was forwarded to Wilson during Ayers' Commonwealth work hours. 117. On September 24, 2018, Keaser received a proposal from Rivers and CDW-G to purchase three Splunk Enterprise 40 GB software licenses which included four education service units. a. The total of the proposal was $85,817.83 for three years from October 31, 2018, until November 1, 2021. 118. Keaser received a proposal to purchase Splunk software from August Schell on September 25, 2018. a. The quote was for $109,700.14 and included three Splunk Enterprise software licenses (3 years), 40 GB/day, and four education service units. 119. Keaser received a proposal to purchase Splunk software from Carahsoft on August 3, 2018. a. The quote was for $37,521.20 and included one Splunk Enterprise software license, 40 GB/day, and four educations service units. 120. On October 3, 2018, Jacobs submitted a memorandum to the Buck County Commissioners, recommending the purchase of Splunk software from CDW-G. Ayers, 19-040 Page 41 a. Jacobs wrote, "To the Administration: Please accept this memorandum as an explanation for the acquisition of Splunk Software. Information Technology is seeking to add Splunk, a specialized software used in the aid of cyber security. Splunk has the ability to scan large amounts of data from many sources and capture, index and then correlate the data into a searchable and usable format to aid in identifying data patterns, diagnosing problems and providing intelligence for business operations. This is required to provide yet another layer of an overall, comprehensive security solution to protect the County's computing environment. IT researched cyber security software, resulting in the decision to utilize the Splunk solution which is also employed by the Commonwealth of Pennsylvania. In a meeting between the COO, the Solicitor, Purchasing, and IT it was confirmed that this purchase falls within regular purchasing laws and county purchasing policies in that software is exempt from the bidding process under the County code and IT solicited the required number of quotes from authorized Splunk resellers. However we are seeking an exemption to the County Purchasing Policty [sic] that requires quotes over $10,000 be posted on PennBid. This request is for consideration on the October 17, 2018, Commissioner Agenda. If there are any questions, please do not hesitate to contact me." 121. Jacobs recommended the purchase of Splunk software based on Ayers' recommendation as the Chief Information Security Officer for Bucks County. 122. During an October 17, 2018, Bucks County Commissioners meeting, an $85,817.83 contract was approved by the Bucks County Commissioners with CDW-G for the purchase of Splunk security software. 123. During or about the time that Bucks County approved the Splunk software purchase from CDW-G, Ayers negotiated a rebate/finder's fee commission with Howton. a. Howton had marketed the Splunk security software to the Commonwealth. 124. On January 23, 2019, Howton emailed Ayers to inform him that Carahsoft was working on providing a rebate check to CRS and requested the corporate remittance address for CRS. a. Howton wrote, "Good morning Robert, We are working on getting a rebate check out to you, but my team reached out to me with the below request. Can you please pass us the information requested below? Can you please reach out to Cyber Risk Services and request their corporate remittance address? We need this information to send them their rebate check on the above mentioned order. Please forward me their email confirmation. And if they can provide a website as well, that would help for confirmation. Let me now if you need anything at all from my side. Best, John Howton." The title of the email was "Carahsoft Rebate -Bucks County -need confirmation." A s, 19-040 Page 42 b. Ayers replied to Howton on January 23, 2019, at 11:34 a.m., "Cyber Risk Services LLC 41 Susquehanna Avenue Dallas, PA 18612." Ayers sent the email to Howton during his regular work hours as a Commonwealth employee. 125. CRS' M&T Bank account records reflect that a Carahsofi Union Bank & Trust check (No. 37919) in the amount of $1,263.16 was paid to CRS on January 24, 2019. a. _ The check was paid to CRS one day after Howton contacted Ayers to obtain the CRS corporate remittance address. b. Check No. 37919 was credited to the CRS M&T Bank account on February 11, 2019. C. Check No. 37919 was endorsed by Oliveira. 126. Howton confirmed on November 18, 2020, to State Ethics Commission Investigators that Ayers, as a consultant, received the rebate/finder's fee check in the amount of $1,263.16 for his actions resulting in the sale of Splunk software to Bucks County. 127. In May 2019, following the original purchase of Splunk software, Ayers recommended to Bucks County a capacity upgrade with Splunk. a. The original Bucks County Splunk licenses included 40 GB of capacity. b. Ayers recommended that Bucks County purchase an upgrade from 40 GB to 60 GB with Splunk to compensate for the overage in daily capacity use. 128. In a May 29, 2019, email to Jacobs, Ayers wrote, "A bit early but yes it should be renewed let me see what I can do as far as pricing you're inevitably going to need a larger license maybe we bundle that the cost will be lower now than an upgrade later." a. Ayers was referencing upgrading the Splunk software capacity. 129. In a September 9, 2019, email to Jacobs, Ayers wrote, "Don't forget to check on this with Rick. Your recent usage has exceeded your existing 40 GB license." a. Ayers referenced contacting Brodbeck regarding upgrading the Splunk license. 130. Ayers emailed Keaser on September 10, 2019, to inform him that he had received an updated quote from CDW-G pertaining to a Splunk capacity upgrade. a. Ayers wrote, "I've reached out to get a new upgrade quote from CDWG. Regards, Robert." Airs, 19-040 Page 43 b. On September 11, 2019, at 5:30 p.m., Ayers emailed Splunk Representative John Fitzgerald, Howton, and two other Splunk officials regarding the Bucks County/Splunk renewal as follows: "This has to be sent to Bucks early tomorrow to meet a procurement deadline of 10 AM for this month's meeting." Ayers sent the email during his Commonwealth work hours. 131. On September 11, 2019, CDW-G provided a quote to Bucks County to upgrade the Splunk license from 40 GB to 60 GB. a. The quote provided by CDW-G was for $25,977.23. 132. On October 8, 2019, Jacobs submitted a memorandum to the Bucks County Commissioners, recommending the Splunk license upgrade. a. Jacobs wrote, "To the administration: Please accept this memorandum as general narrative on the Splunk cybersecurity solution capacity storage. The Information Technology (1T) department on November 1, 2018 entered a contract with CDW- G for the purchase of Splunk cybersecurity solution for County operations. Splunk is a software that scans large amounts of data from various places and turns it into a format that assists IT employees in diagnosing any issues that might occur. The reason we are asking for an increase in the contract with CDW-G is to increase the daily capacity of the Splunk storage solution. We currently have a daily capacity of 40 GB/day and this amendment is to increase this by an additional 20 GB/day. The reason for the increase is due to the increased amount of data that we are collecting to protect from eyber threats. We go the quote from CDW-G as we currently have a contract with them and since we have that we can only go with CDW-G. Please let me know if I can elaborate in any way on the above request for the proposed agreement." 133. Jacobs recommended that Bucks County purchase the additional daily compacity based on Ayers' recommendation as the CRS consultant. a. Ayers did not have Commonwealth approval to engage in supplemental employment as a cyber security consultant for CRS or to be a "reseller" of Splunk software. 134. During a December 4, 2019, Bucks County Commissioners meeting, a $25,977.23 contract amendment with CDW-G was approved to increase the GB capacity from 40 GB to 60 GB for Splunk security software. a. The amended contract with CDW-G was item 12-b under information Technology on the December 4, 2019, agenda. b. The Bucks County Commissioners unanimously approved the amended contract with CDW-G. Ayers, 19-040 Page 44 135. On November 18, 2019, Ayers and CRS received a second rebate/commission payment from Carahsoft in the amount of $1,263.16. a. The payment was made to Ayers and CRS for providing continued customer service for Splunk software in Bucks County. 136. CRS' M&T Bank account records reflect that Carahsoft Technology Corporation Atlantic Union Bank check No. 45361 in the amount of $1,263.16 was deposited on November 25, 2019. a. The check was endorsed by Oliveira. b. The check memo includes Cyber Risk Services LLC with an address of 41 Susquehanna Avenue Dallas, PA 18612. 137. Ayers and CRS received a total of $2,526.32 in rebate payments from Carahsoft during the 2019 calendar year. a. Ayers received no other checks from Carahsoft after Bucks County severed the business relationship with CRS and Ayers in February 2020. b. Bucks County officials were unaware that Ayers received payments from Carahsoft for arranging the Splunk software sales to Bucks County. 138. Ayers did not have supplemental employment approval from the Commonwealth to act as a reseller of Splunk software, which he utilized as part of his Commonwealth employment. 139. Ayers also recommended to Jacobs that Bucks County purchase Carbon Black security software. a. Ayers recommended that Bucks County purchase Carbon Black security software in his May 23, 2018, "Cyber Security Roadmap" he forwarded to Jacobs and Wilson. b. Ayers would realize a commission if Bucks County made the purchase. 140. Carbon Black security software is described as a cloud -native endpoint security software that is designed to detect malicious behavior and to help prevent malicious files from attacking an organization. 141, In May 2018, Ayers recommended that Bucks County obtain a proof of concept with Carbon Black. a. The proof of concept was provided through CDW-G. 142. On June 28, 2018, Carbon Black Account Manager Bob Boyle ("Boyle") emailed Wilson to thank him for the opportunity to meet regarding Carbon Black. Ayers, 19-040 Page 45 a. Boyle specifically mentioned Ayers in the email to Wilson. b. Boyle wrote: "Hi Scott, following up our call yesterday, we appreciate you & your team sitting down with us to discuss Cb Defense. We also appreciate the engagement. Based on our conversation & your needs to bring in a solution that is going to give Bucks County more advanced prevention, visibility into the "bread crumb trail" of what's happening in the environment, automation & integration into Splunk- I know Cb Defense will provide the value your team is looking for. The Carbon Black team also appreciates Lisa setting up these calls for us & Rob for working directly with our team through the Cb Defense POC. As we discussed yesterday, Rob has done a fantastic job correlating Cb Defense to fit your specific environment & work to prevent those advanced attacks we discussed yesterday. Following our call I reached out to our internal provisioning team, and as Rich mentioned, we are only able to keep your cloud instance up and running for so long, since we incur costs from AWS on our end. Our team said that we could leave your instance running for 6-7 more days, but I believe we could extend that to 10, giving your team time to move forward with at least the 300 license quote. By purchasing 300 licenses of Cb Defense now, you will be able to roll your current cloud instance into protection, thus saving all of the rules, policies & hard work Rob has put into Cb Defense over the past 2 months. Additionally, a purchase of Cb Defense will lock you in at the price point seen on the quote today for 1 full year if you chose to add -on the remainder of your environment when Trend Micro expires in early 2019. Lisa & I worked together to get significant discounts put together for your team so that we could ensure the overall total came in under the $10,000 window which would require you to receive additional approval for the purchase. Understanding that time is of the essence, would it make sense to hop on another call to discuss this further & answer any additional pricing questions? All the best, Bob." C. "Rob" refers to Robert Ayers. 143. In June 2018, following the proof of concept, Bucks County authorized the purchase of 300 Carbon Black software licenses from CDW-G at a cost of $8,195.00. 144. In December 2018, Ayers became a reseller of Carbon Black security software. a. Ayers was aware that Bucks County would be considering the purchase of additional Carbon Black software licenses when he became a reseller. Ayers, 19-040 Page 46 b. Ayers would receive commissions/finder's fees on the licenses that Bucks County purchased. 145. On December 20, 2018, Boyle emailed Jacobs regarding a continued relationship with Bucks County. a. Boyle wrote, "Good Afternoon Don, Hope all is well My name is Bob Boyle & I am your account manager & main point of contact here at Carbon Black! I have been working closely with Rob over the course of Bucks County's relationship with Cb & am happy to hear how successful your team has been with leveraging Cb Defense. I wanted to send over a few documents that I thought you may be interested in Carbon Black Holiday Threat Report: 3 easy ways to spot a Spear Phishing email Forrester Study — The Total Economic Impact of the Cb PSC: Cost Savings & Business Benefits of Carbon Black. The Forrester Study is a full report of the ROI associated with customers leveraging our Predictive Security Cloud, the platform in which Cb Defense (NGAV) & Cb LiveOps (Real Time Query) sits on. Rob has told me how you are already seeing the benefits of Carbon Black within a small portion of your environment, and I am excited to continue working with you as you expand your Carbon Black footprint & realize the full 261% ROI over 3 years. I spoke with your colleague earlier this week & he mentioned you have some availability Friday afternoon. Would you be open to a quick call at 2pm so I can properly introduce myself & answer any questions you may have? Let me know your thoughts & looking forward to connecting! All the best, Bob." 146. On December 23, 2018, CRS and Ayers submitted a quote to Jacobs for the purchase of 2,000 Carbon Black software licenses. a. Ayers submitted the quote as a reseller of Carbon Black software. b. The quoted price for the Carbon Black software licenses was $34,800.00. C. The $34,800.00 was $17.40 per software license. 147. On December 24, 2018, Oliveira, Ayers' then -girlfriend and business partner, emailed Jacobs and Wilson an additional quote for Carbon Black software. Avers, 19-040 Page 47 Oliveira wrote, "Don, Scott Attached is a license quote for the Carbon Black upgrades. Robert mentioned to Scott that this we could also quote the additional licenses for a 6 month period for the new machines so that the license renewal will coincide with your existing licenses. If you're interested in a 6 month license for the remaining 2200 machines let us know and we can send you an updated quote. Regards, Pam." 148. Boyle followed up with Jacobs and Wilson on January 10, 2019, to inquire if the purchase of Carbon. Black software would be added to Bucks County Commissioners Agenda. a. Boyle wrote, "Good Afternoon Don Hope all is well as we begin the new year! Wanted to reach out to reconnect & continue our conversation from the end of 2018. With the Bucks County Commissioner's meeting coming up on January 10h, I wanted to make sure that (a) you had all of the information you needed regarding Cb Defense and (b) Carbon Black made it on the agenda for the next meeting. Do you have some time tomorrow to hop on a quick call to make sure our ducks are in a row? Thanks in advance for your time & looking forward to hearing back! All the best, b. Jacobs replied to Boyle on January 11, 2019: "Bob, I have been out of the office substantially this month and missed the mark for getting this on the 1/16/19 meeting agenda. We are now looking for the Wednesday, 2/6/19 meeting. So here is our lift. According to our Purchasing Director, our requirements are; The PA County Code says purchases "involving computer software" are exempt from the bidding process. PA County Code also says that the Commissioners must approve all contracts over the bid threshold ($20,600 for 2019). Bucks County's internal policy mandates that we get competition for purchases even when they are exempt from the bidding process by code. This is to assure the Commissioners we are getting the best price for the product/service we want. So if you are going to go with the Carbon Black product we need to bid the Carbon Black product and award to the lowest responsive, responsible bidder. Can you assist us in finding vendors capable of providing addition quotes to our specs? We need three. Best regards, Ayers, 19-040 Page 48 Don J." C. Wilson emailed Boyle on January 11, 2019, to inform him that Bucks County needed one more bid in addition to Carbon Black Direct and CRS. 1. Wilson wrote, "Hello Bob, We need 1 more in addition to CB Direct & CRS. In addition can you include and training services like the 3 we had with last purchase? Thank you." d. Boyle replied to Wilson and Jacobs on January 11, 2019, "Good Afternoon Don & Scott Thanks for the replies & insight! I will begin working with the team to get: 1) An updated quote from Rob & CyberRisk 2) An updated quote from Carbon Black direct (MSRP Pricing) 3) A quote from Rizwan Ashraf at Zones (they were included as 1 of 3 quote bids for the initial purchase in June' 18) I appreciate the communication & assistance both at the end of the year & into 2019 here. With that said, could you provide some insight into what the procurement process will look like following the Commissioners Meeting on Feb 6"'? Who from Bucks County needs to sign off on a purchase? - Will the competing quotes be solely for Carbon Black? Is Trend Micro going to be part of the quote evaluation? What is the timeline expected for a decision/purchase? Finally, once everything is wrapped up here, we should reconnect to continue our discussion about highlighting Bucks County's great success with Cb Defense — whether it be a white paper to share with your colleagues, or a more informal dinner/networking event with other Counties in the area! Thanks again for the open communication & let me know if you have any additional questions — happy to hop on a call next week. All the best, 149. On January 22, 2019, Ayers/CRS emailed a bid to provide 2,200 Carbon Black software licenses to Bucks County for $38,280.00. a. Ayers wrote, "As requested," and attached a CRS proposal for the purchase of 2,200 Carbon Black software licenses. Ayers, 19-040 Page 49 b. Ayers included his full name on the proposal he sent to Jacobs. C. This was an increase of 200 licenses from his December 23, 2018, quote and an increase of $3,480.00. 150. On January 25, 2019, Bucks County Procurement Coordinator Elizabeth Gates ("Gates") emailed Ayers to inquire about the reference to Costars on the proposal submitted for the purchase of Carbon Black software. a. -Ayers included a COSTARS number of 006-064 on the Carbon Black software quote he submitted to Bucks County. b. Neither Ayers nor CRS was a member of COSTARS. C. Ayers replied to Gates on January 25, 2019, to inform her that CRS is not a member of COSTARS, "We are not. That must have been from the original quote from Carbon Black. I can have that removed." 151. Ayers submitted an updated Carbon Black quote for CRS to Gates on January 26, 2019. a. The amount of $38,200.00 for the purchase of 2,200 Carbon Black software licenses remained unchanged. 152. Jacobs submitted a memorandum to the Bucks County Commissioners on February 6, 2019, recommending the purchase of Carbon Black security software from CRS. a. Jacob's wrote, "To the Administration: Please accept this memorandum as general narrative on the agreement to purchase the Carbon Black anti -virus solution. The Information Technology department has selected Carbon Black as the best solution to provide anti -virus protection as we move forward in our journey to secure the County's computing assets and data. Carbon Black offers enhanced client (employee computers) anti -virus protection by performing a more robust scan tan what is offered by our current solution. The Carbon Black service will provide enhanced forensics and immediate anti -virus updates for all clients. An additional benefit of the Carbon Black anti -virus solution is that the logging information can be ingested directly into our recently purchased Splunk solution. This automated activity will help to bring any anomalies to the attention of the Information Technology quickly. The Information Technology department is requesting the Commissioners to waive the County of policy of having this item go out to bid and instead utilize the three (3) quotes obtained from various vendors. The lowest quote was provided by Cyber Risk Services. Please let me know if I can elaborate in any way on the above request for the proposed agreement." b. Jacobs informed the Bucks County Commissioners that CRS was the lowest bidder. Ayers, 19-040 Page 50 153. On February 6, 2019, the Bucks County Commissioners approved a $38,280.00 contract with CRS and Ayers for the purchase of 2,200 additional Carbon Black security licenses. 154. Jacobs made the recommendation to purchase Carbon Black security software based on Ayers' recommendation. 155. On February 6, 2019, the Bucks County Commissioners approved a $38,280.00 contract with CRS and Ayers for the purchase of 2,200 additional Carbon Black Security licenses. a. Ayers submitted the lowest bid for Carbon Black security software knowing that CRS would receive the contract. b. Ayers was included in every email and discussion pertaining to the purchase of Carbon Black security software. 156. CRS invoiced Bucks County $38,280.00 for the purchase of 2,200 additional Carbon Black software licenses on February 18, 2019. a. The $38,280,00 price was for one year and was required to be renewed annually. 157. CRS' M&T Bank account records confirm that Bucks County paid Ayers and CRS $38,280.00 on March 4, 2019, via direct deposit. 158. Ayers/CRS purchased the Carbon Black security software licenses provided to Bucks County from Arrow Enterprise Computing Solutions, Incorporated. a. Arrow Enterprise Computing Solutions, Incorporated is a distributor for Carbon Black security software. b. Ayers and CRS ordered the Carbon Black software licenses on February 12, 2019, six days after the Bucks County Commissioners approved the $38,280.00 contract with CRS. 159. CRS' M&T Bank account records reflect that CRS paid Arrow Enterprise Computing Solutions, Incorporated on March 5, 2019, via check No. 1206 in the amount of $34,386.00, a. CRS paid Arrow Enterprise Computing Solutions, Incorporated one day after receiving payment from Bucks County. 160. During 2018-2019 when he was recommending that Bucks County purchase Carbon Black software, Ayers engaged in 35 telephone calls with Boyle and an additional 76 calls with other Carbon Black representatives. a. All of these calls occurred during Ayers' regular working hours as a cyber security specialist for the Commonwealth. Ayers, 19-040 Page 51 161. Ayers/CRS realized a $3,894.00 profit from the sale of Carbon Black software to Bucks County. 162. Following the purchase of Carbon Black software, Ayers and CRS requested additional compensation from Bucks County to maintain the additional 2,200 Carbon Black accounts. a. On June 21, 2019, Ayers emailed Brodbeck and cc'd Jacobs and Bucks County Deputy Chief Information Officer Richard Gallagher with the justification to amend the original contract. b. Ayers wrote, "Gentleman, I've sent this to Don already, attached is the justification for adding the additional hours to the contract that Don and I discussed. Best Regards, Robert." C. Ayers attached a document outlining the need for additional hours billed to Bucks County. 163. Ayers' attachment to the June 21, 2019, email included the following: "6/5/2019 Contract Extension Justification — CRS The original contract approved on 10/17/2018, PO Number 90824-1 with Cyber Risk Services (CRS) included 500 hours @140.00 per hour. It was based in part on the original count of 300 Carbon Black CB Defense licenses. On 01/18/2019, PO Number 23765, Bucks County procured an additional 2200 Carbon Black CB Defense licenses. The increase in the license count from 300, to 2500 licenses caused additional hours to be used to support the distribution, monitoring and maintenance of the CB Defense solution. In addition, the management of Splunk, the implementation of new data sources for the collection and monitoring of the existing data. Also adding to the increase in hours was the monitoring of the CentuzyLink log solution, extracting those logs for ingestion into the Bucks Splunk solution. We are asking for the approval of an additional $25,000 to cover the estimated number of hours that will be needed until the expiration of the existing CRS contract on 10/31/2019. We are confident based on the average of hours used monthly to date, that the requested amount will be enough to continue with our existing services through the end of the contract." a. Bucks County never approved CRS/Ayers to receive the additional $25,000.00 that Ayers sought. Avers, 19-040 Page 52 164. In March 2019, Ayers provided a proof of concept to Bucks County for a Fidelis Radius EX Sewer (Serial #RA346362181), a Dualcomm Dual -Link Gbe Copper and Fiber Network Tap, a power adapter, and two TrendNet TEG-MGBS10 (Serial #RA8JLX3200110 and #RA8JLX3200083). a. Ayers introduced the Bucks County officials to Fidelis Sales Engineer Ron Subers to install the proof of concept. b. The proof of concept was provided to Bucks County from March 2019 until January 2020. 165. Fidelis hardware focuses on threat detection, hunting, and a targeted response of advanced threats and data breaches. 166. Fidelis is a former vendor of the Commonwealth. a. Ayers was familiar with Fidelis as the OA IT contact on ten purchases made by the Commonwealth from Fidelis from calendar years 2015 through 2017. 167. Ayers recommended the purchase of Fidelis as the CRS cyber security consultant for Bucks County. a. Ayers knew he would receive a commission and/or finder's fee if Bucks County made a purchase from Fidelis. 168. Ayers expressed an interest in becoming a reseller of Fidelis products to Fidelis Security Sales Engineer Joseph Kim. 169, Fidelis Regional ,Sales Manager Joseph Ferri ("Ferri") emailed Brodbeck on September 13, 2019, regarding a 10% finder's fee that would be paid to Ayers. a. Ferri wrote, "Rich, I just wanted to make sure you were aware that there will be a 10% Finder's Fee paid to Robert Ayers @ Cyber Risk Services LLC. Hopefully this is not an issue as he is the one who initiated this opportunity." 170. Jacobs replied to Ferri on September 13, 2019, to inform him that Bucks County could not get involved with leads or a finder's fee. a. Jacobs wrote, "Hi Joe, We cannot get involved in what private sector does with their leads and sources, or even legally recognize it. Our price at adoption is our price and we cannot deviate. Many many thanks. Don." 171. Ayers never informed Bucks County that he would receive a finder's fee for the sale of Fidelis. Ayers, 19-040 Page 53 172. Jacobs decided not to purchase the Fidelis hardware after learning that Ayers would receive a 10% finder's fee. a. The equipment was returned to Fidelis Cyber Security Representative Tony Allegrati on January 29, 2020. 173. All of the actions Ayers initiated in the attempt to arrange the sale of Fidelis equipment to Bucks County occurred while he was simultaneously employed by the Commonwealth as an Information Technology Executive 1, 174. Outlier Security, Inc. ("Outlier") was a cyber security software firm that specialized in providing endpoint threat detection and remediation across enterprise networks. a. Outlier was in business from approximately 2014 through 2017. b. Outlier was based in Zephyr Cove, Nevada. C. The officers of Outlier included Greg Hoglund, Chief Executive Officer; Bob Slapnik ("Slapnik"), Chief Revenue Officer; and Penny Leavy, Chief Operating Officer. d. The officers of Outlier previously owned and operated HB Gary, Inc. 175. HB Gary, Inc. was a software vendor that focused on technology security used by commercial and government organizations. a. HB Gary, Inc. was in business from approximately 2003 until 2012. 176. On or around March 18, 2011, and April 29, 2011, HB Gary, Inc sold a responder and software to the Commonwealth through the Pennsylvania Department of General Services for Purchase Order Nos. 4300273518 and 4300280694, which included equipment and software that was delivered to Ayers at 613 North Street, 311 Finance Building, Harrisburg, PA 17120 as follows: Item Material/Service Desc Oty UOM Delivery Date Net Price Price Unit Total I HBGARY Responder 1,000 Each 03/31/2011 $1,595,58 1 $1,595.59 Item Material/Service Desc Otv UOM Delivery Date Net Price Price Unit Total I HBGARY Software 1,000 Each 05/10/2011 $19,693.57 1 $19,693.57 a. The agency contact for the items purchased from HB Gary, Inc. for the Commonwealth was Ayers. 177. Through the marketing of the hardware and software that HB Gary, Inc. sold to the Commonwealth, Slapnik regularly communicated with Ayers as an OIT employee of the Commonwealth. Ate, 19-040 Page 54 a. Ayers utilized HB Gary, Inc.'s software in his position with the Commonwealth. b. Ayers and Slapnik developed a professional relationship. C. Slapnik considered Ayers to have strong technical skills in analyzing software. 178. In or around July 2017, after Slapnik began serving as the Chief Revenue Officer for Outlier, Slapnik contacted Ayers to perform work for Outlier. a. The work that Ayers was to perform for Outlier consisted of reviewing data that had been collected and running queries. b. Ayers was to be compensated for his services. 179. Payment was made by Outlier to CRS to compensate Ayers for hours worked to complete the data analysis. 180. Slapnik/Outlier selected Ayers for the data analysis as a result of the hardware and software purchased by the Commonwealth from HB Gary, Inc. based on the recommendation of Ayers in his capacity as an Information Technology Executive 1 with the Commonwealth. a. CRS/Ayers was paid by Outlier based on the relationship established between Ayers and Slapnik due to Ayers' position with the Commonwealth. 181. CRS' M&T Bank account reflected that a deposit was made on August 15, 2017, in the amount of $1,360.00 from Outlier. a. Check No. 1354, dated 7/31/17, drawn on an account for Outlier with Wells Fargo, Bank, N.A., reflected a check was paid to the order of CRS in the amount of $1,360.00. 1. Oliveira endorsed the check. 182. Ayers never sought nor was approved by OA to engage in supplemental employment with Outlier. a. Ayers never informed his supervisor, Avakian, that he was to be compensated by Outlier for work performed. 183. From 2016 through 2019, while Ayers was employed as an Information Technology Policy Special 2 and an Information Technology Executive 1, Ayers performed services as an independent cyber security consultant for Chester County, Bucks County, and Middletown Honda. a. Many of these services were performed during Ayers' regular work hours as a Commonwealth employee. Ayers, 19-040 Page 55 184. W-2 Wage and Tax Statements for Ayers reflect the following compensation from the Commonwealth from 2016 through 2019: Year Amount 2016 $72,268.97 2017 $80,071.79 2018 $83,558.89 2019 $70,935.08. 185, Asa Commonwealth employee, Ayers was a full-time employee who was required to work 37.5 hours per week, 7.5 hours per day. a. Ayers work hours were from 10:00 a.m, until 6:00 p.m. 186. The hourly rate that Ayers was paid by the Commonwealth of Pennsylvania from January 2016 through September 2019 was as follows: a. 1/1/2016 - 3/18/2016: $37.38/hr. b. 3/19/2016 - 9/30/2016, $39.12/hr. C. 10/1/2016 - 6/30/2017: $41.63/11r. d. 7/1/2017 - 1/5/2018: $42.46/hr. C. 1/6/2018 - 6/30/2018: $43.42/hr. f. 7/1/2018—1/4/2019: $44.51/hr. g. 1/5/2019 — 9/24/2019: $45.52/hr. 187. From 2016 through 2019, while Ayers was employed with the Commonwealth, Ayers was working as a consultant and/or as a threat analyst on behalf of CRS. 188. Ayers utilized the email address [email address redacted] while performing duties and working with CRS. 189. Ayers, as a consultant and/or threat analyst for CRS, corresponded frequently with officials of the Information Technology Department of Bucks County by way of email during his regular work hours with the Commonwealth. a. Officials of the Bucks County Information Technology Department that Ayers corresponded with included Jacobs, Chief Information Officer; Wilson, Network Manager; Keaser, Global Project Manager; Tomczak, Enterprise Manager; and Brodbeck, Business Manager. Avers, 19-040 Page 56 190. In 2018 and 2019, while performing duties benefitting CRS, Ayers corresponded with officials of the Bucks County Information Technology Department on a total of 73 days by a total of 100 emails while Ayers was employed as an Information Technology Executive 1 for the Commonwealth. a. Between January 1, 2018, and June 30, 2018, Ayers sent 26 emails on 19 different days, relating to his outside employment with CRS while being paid by the Commonwealth. 1. Ayers' rate of pay during this period was $43.42 per hour: - - b. Between July 1, 2018, and January 4, 2019, Ayers sent 35 emails relating to his outside employment with CRS while being paid as a Commonwealth employee. 1. Ayers was paid $44.51 per hour by the Commonwealth during this period. C. Between January 5, 2019, and September 24, 2019, Ayers sent 39 emails relating to his outside employment with CRS while being paid by the Commonwealth. I . Ayers was compensated $45.52 per hour by the Commonwealth during this time period. d. All of the above listed contacts occurred during Ayers' regular hours as a Commonwealth employee. 191. Ayers maintains a cellular telephone number identified as [telephone number redacted]. a. The account was first established on or around November 3, 2006, through Sprint under the name of Ayers' mother. 192. Ayers utilized his cellular telephone number to conduct CRS business. a. Ayers used the cellular telephone to communicate with government officials and vendors that sold hardware and software. 193. Ayers communicated by phone calls and text messages during his regular hours as a Commonwealth employee with various officials of the Bucks County Information Technology Department regarding CRS business including Jacobs, Chief Information Officer; Wilson, Network Manager; and other officials of the Bucks County Information Technology Department in 2018 and 2019. a. On a total of 71 days, Ayers had a total of 255 phone calls in which he communicated with Jacobs during Ayers' work hours with the Commonwealth regarding CRS business. Avers, 19-040 Page 57 1. Ayers' communications with Jacobs were solely related to CRS' contracts with Bucks County. b. Ayers communicated via telephone with Wilson about CRS business during Ayers' work hours with the Commonwealth 76 times over 43 days during the period from February 21, 2018, to July 5, 2019. C. Ayers had 46 telephone communications with Bucks County Information Technology Department officials during work hours with the Commonwealth for CRS business over 25 days between February 2018 and August28, 2019. 194. Ayers placed or received a total of 377 telephone calls and/or text messages to the Bucks County Information Technology Department during his Commonwealth work hours. a. All communication that Ayers had with Bucks County Information Technology Department officials was related to Ayers/CRS contracts with Bucks County and occurred during Ayers' Commonwealth work hours. 195. Ayers occasionally traveled and worked onsite at the Bucks County Information Technology Department in Doylestown, Pennsylvania, during his Commonwealth work hours and while being paid by the Commonwealth. a. Ayers traveled to the Bucks County offices between the hours of 10:00 a.m. and 6:00 p.m. during his Commonwealth work hours. 1. Ayers did not submit leave requests nor was he logged into the virtual private network for the Commonwealth when traveling to Doylestown for business related to CRS. b. Ayers was in Doylestown on March 29, 2018, April 13, 2018, and April 4, 2019, assisting officials from the Bucks County Information Technology Department while being paid as an employee of the Commonwealth. 196. The chart below details purchases made from CRS' M&T Bank account for parking, transportation, and food in Doylestown on days that Ayers was scheduled to be working for the Commonwealth. Date Amount Transaction Desc. Acct 3/29/2018 $3.00 Doylestown IPS Meteda lestown M&T 3/29/2018 $1.50 Doylestown IPS Meteda lestown M&T 3/29/2018 $3.00 Doylestown Park Mobile M&T 3/29/2018 $11.62 Altomonte's Italia Doylestown M&T 3/29/2018 $36.47 Altomonte's Italia Doylestown M&T 4/13/2018 $3.25 Doylestown Park Mobile M&T 4/4/2019 $1.25 Do lestown Park Mobile M&T Avers, 19-040 Page 58 197. Ayers' compensation from the Commonwealth on March 29, 2018, April 13, 2018, and April 4, 2019, while performing duties at Bucks County for CRS was as follows: a. 7.5 hours on March 29, 2018 x $43.42 = $325.65, b. 7.5 hours on April 13, 2018 x $43.42 = $325.65. C. 7.5 hours on April 4, 2019 x $45.52 = $341.40. 198. Ayers was paid a total of $992,70 for hours he was supposed to be working for the Commonwealth when he was actually performing duties for CRS in Doylestown. 199. Ayers, while handling duties for CRS, communicated extensively with Gemini Data Sales Representative Yuch and Carbon Black Account Manager Boyle. a. Gemini Data is a hardware system that allows for the installation of Splunk software. 200. Ayers, while contracting as CRS with Bucks County, helped facilitate the purchase of Gemini Data S-Boxes by the Bucks County Information Technology Department. 201. On or around October 17, 2018, the Bucks County Commissioners approved a $73,261.44 three-year contract with Gemini Data from November 1, 2018, through October 31, 2021. a. Bucks County purchased S-Boxes from Gemini Data that are compatible with Splunk security software. 202. Ayers communicated with Yueh regarding the purchase of Gemini Data S-Boxes by Bucks County. 203. Ayers, in his capacity as a CRS representative, utilized his cellular telephone to frequently communicate with Yuch between January 2018 and June 2019 while Ayers was working for the Commonwealth. 204. Ayers made or received 278 calls over 49 days during his regular work hours for the Commonwealth regarding work that CRS performed for Bucks County. a. Ayers communicated with Yueh while working for the Commonwealth, resulting in CRS receiving a wire payment for a rebate from Gemini Data for software sold to Bucks County on or around May 2, 2019, in the amount of $2,442.00. b. Ayers and/or CRS received $2,442.00 (a 10% commission) from Gemini Data based on the annual payment from Bucks County to Gemini Data of $24,420.48. 205. Ayers, acting as CRS, communicated extensively with Boyle. a. Boyle was an Account Manager with Carbon Black from 2016 through 2019. Ayers, 19-040 Page 59 b. Carbon Black is a virus software used to provide endpoint security. 206. Ayers, as CRS, had extensive telephonic communication with Boyle on behalf of Bucks County beginning in or around June 2018. a. Ayers and Boyle communicated about purchasing software licenses from Carbon Black for Bucks County. b. Ayers contacted Boyle about becoming a reseller of the Carbon Black software and then negotiated -a contract with Bucks County for the sale of Carbon Black security software. 207. Ayers, utilizing his cellular telephone, engaged in communication with Boyle and/or Carbon Black between May 2018 and August 2019 while Ayers was working for the Commonwealth. a. Ayers communicated with Boyle and/or Carbon Black 117 times over 40 days during Ayers' regular work hours with the Commonwealth. b. Ayers' communications with Boyle and/or Carbon Black, during Ayers' work hours for the Commonwealth resulted in CRS receiving a commission from. Carbon Black through Arrow Enterprise Computing Solutions, Incorporated on or around March 5, 2019. 208. Between 2016 and 2019, a total of $192,547.32 was deposited to CRS' M&T Bank account as a result of cyber consulting work performed by Ayers. a. Ayers made frequent purchases from this account as well as cash withdrawals. 209. CRS' M&T Bank account records confirmed that $45,627.67 in payments were made on a Sam's Club Mastercard from September 2016 until November 2019. 210. The payments made from. the CRS account to Sam's Club were directly from funds received from Chester County, Bucks County, and software vendors. a. Ayers is an authorized user of the Sam's Club credit card. 211. The Sam's Club Mastercard account was opened with Synchrony Bank on December 29, 2015, by Oliveira. a. Oliveira was approved for the account. b. Synchrony Bank records obtained for the Sam's Club Mastercard account reflect that Ayers was added as a secondary account holder on October 12, 2016. Ayers, 19-040 Page 60 212. Synchrony Bank records reflect that the Sam's Club Mastercard account was temporarily changed to another in March 2018 due to a fraudulent transaction on the account. a. Ayers maintained his status as a secondary account holder despite the change in account numbers. 213. On April 13, 2018, the Sam's Club Mastercard was permanently changed to a new account. a. Ayers continued as a secondary account holder and had access to the account. 214. A review of Sam's Club credit card statements confirmed that numerous purchases were made in Harrisburg, Pennsylvania, from August 2016 through September 2019. a. Most of the purchases were made for fuel at a Harrisburg Pilot gas station. l . Ayers worked in Harrisburg as a Commonwealth employee. 2. Oliveira resided in Luzern County and was employed with the Dallas Area School District. b. Other purchases made in Harrisburg were for food, beverage, lodging, and other miscellaneous goods. C. After September 2019, no other purchases were made in Harrisburg with the Sam's Club Mastercard. 1. Ayers resigned as a Commonwealth employee on September 24, 2019. 215. Ayers made numerous purchases with the Sam's Club Mastercard for fuel at a Pittston convenience store from August 2016 until January 2020. a. The Pittston Convenience store is located at 325 Laurel St. Pittston, PA 18640. 1. Ayers' former residence was located at 208 Rock Street, Hughestown, PA 18640, 2. The Pittston convenience store is .9 miles away from Ayers' former residence. b. Following Ayers resignation from the Commonwealth on September 24, 2019, there was a decrease in fuel purchases made by Ayers. C. Ayers made a total of $4,954.71 in purchases at the Pittston convenience store from August 2016 until January 2020. Ayers, 19-040 Page 61 216. Sam's Club Mastercard account records confirmed Ayers made multiple purchases totaling $194.94 in Doylestown, Pennsylvania, between October 2016 and April 2019. a. The Bucks County Information Technology Department is in Doylestown. b. Purchases made in Doylestown included food, beverage, parking, and other items. 217. Other purchases made by Ayers with the Sam's Club Mastercard included educational expenses at Penn State University. a. Ayers' son attended Penn State University. b. Ayers made $3,470.42 in payments to Penn State University with the Sam's Club Mastercard between September 2016 and April 2019, 218. The chart below details payments made by Ayers to Penn State University using the Sam's Club Mastercard. Date Amount Acet Purchase Location Category 9/4/2016 $75.00 x1093 Penn State Harrisburg, PA education 10/17/2016 $75.98 x1093 Penn State Book Store State College, PA education 10/18/2018 $3,089.44 x4896 Penn State Univ Account I Harrisburg, PA I education 4/17/2019 $230.00 x4896 Penn State Univ PA education 'total $3,470.42 219. CRS' M&T Bank account records reflect that from November 2016 until April 2017, $3,125.55 in payments were made from the CRS account to a J.P. Morgan Chase auto loan. 220. The loan application for the auto loan confirmed that Ayers was listed as a co -buyer for a 2015 Hyundai Sonata Hybrid. a. Ayers' former address is listed on the auto loan application. b. Oliveira is listed on the auto loan application as the primary purchaser of the vehicle. C. The vehicle was financed for $40,926.54 with a 7.24% interest rate. d. The term of the loan was 84 months or 7 years. e. The monthly payment for the vehicle is $625.11. £ The first payment was made on August 20, 2015. Ayers, 19-040 Page 62 g. Ayers and Oliveira signed the application for the auto loan on July 6, 2015. h. Ayers purchased the vehicle from MotorWorld MileOne Auto Group (150 Motorworld Drive Wilkes Barre, PA 18702). 221. Ayers is the only listed owner on the title for the 2015 Hyundai Sonata Hybrid. a. The title number for the vehicle is registered with the Pennsylvania Department of Transportation. b. Ayers' former address is listed on the title. C. The vehicle was titled on July 21, 2015, in the name of Robert Ayers. d. The listed lien holder for the vehicle is J.P. Morgan Chase Bank NA. 222. Pennsylvania Department of Transportation records reflect that Ayers is the registered owner of the 2015 Hyundai Sonata Hybrid. a. The vehicle is registered with Pennsylvania tags. b. Oliveira is not listed as a registered owner of the vehicle. 223. The chart below reflects payments made to J.P. Morgan Chase Bank NA for Ayers' auto loan from CRS' M&T Bank account. a, IN Date Amount Transaction Doc Acd 21-Dec-16 $625.11 JP Mor an Chase Transfer M&T 23-Jan-17 $625.11 Check No 7435794 JP Mor an Chase M&T 21-Feb-17 $625.11 JP Morgan Chase Transfer M&T 21-Mar-17 $625.11 JP Morgan Chase Transfer M&T 21-A r-17 $625.11 JP Morgan Chase Transfer M&T Total $3,125.55 consultant work for Bucks County. Ayers made the payments directly from funds he received for performing cyber security 224. CRS' M&T Bank account records confirmed that numerous cash withdrawals were made at the Pittston Bypass M&T Bank branch (2 Rachael Drive, Pittston, PA). a. The Pittston Bypass M&T Bank branch is .6 miles from Ayer's former address. 225. From October 2016 until February 2020, $27,115.00 in cash withdrawals were made from the CRS M&T Bank account. a. Ayers was an authorized user of the card used to make the cash withdrawals. Ayers, 19-040 Page 63 226. The Pennsylvania Office of State Inspector General ("OSIG") conducted an investigation on whether Ayers violated Commonwealth supplementary employment rules through his operation of a private security company since February 2016. a. OSIG received a request for an inquiry into Ayers' actions of using his position to advance his private business interests. 227. On June 21, 2019, an interview was conducted with Ayers by investigative staff of OSIG during which Ayers, in part, provided the following information regarding CRS: a. CRS was created in March or April of 2016. b. CRS was Ayers' idea. C. Ayers does consult work for CRS and receives compensation for his work. d. Ayers performs threat analysis for CRS and gets paid based on the job he completes. e. Oliveira's duties for CRS include handling the billing. f. Ayers has access to the bank account for CRS that is in Oliveira's name. g. Ayers makes contacts and finds potential partnerships for CRS. h. Ayers contacts vendors of specific products that he feels strongly about. i. Josh Nudell ("Nudell") is a consultant that works for CRS who began working in January 2019. j. Ayers met Nudell through the Commonwealth while Nudell was a contractor with the Commonwealth for Concannon, which provided Splunk services to the Commonwealth. k. Ayers responded to CRS emails during Commonwealth business hours. 1. Ayers answered CRS telephone calls during Commonwealth business hours, but just to say he would call them back. M. Ayers was aware that his supplemental employment approval was for Ayers Security Solutions. n. Ayers never updated his supplemental employment approval on file to reflect CRS. o. The vendors for CRS include Carbon Black, Gemini Data, and Fidelis. Avers, 19-040 Page 64 P. Ayers met Bucks County's Chief Information Officer, Jacobs, and his Network Manager, "Scott," in 2015 through the Commonwealth. q. Ayers did not believe that the Bucks County Finance Department knew he worked for the Commonwealth. 228. OIG issued an Investigative Report, Case 9 OSIG-19-0057-1-OA on September 19, 2019, regarding Ayers that, in part, concluded: a. Between January 2016 and December 2018, Ayers notified OA-OIT that he would be out of the office for 20 workdays but failed to submit leave. b. Ayers' supplementary employment with A2S contains several actual or potential violations of Commonwealth supplementary employment rules, namely: Although Ayers received approval to work as a "Consultant" through A2S, evidence suggests that Ayers is working as an employee for CRS of Dallas, Pennsylvania. 2. Ayers solicited or provided IT security services to three county governments through CRS after learning of their need for them through his OA-OIT position. 3. Ayers recommended to OA-OTT that it purchase a computer software program for which CRS acts as a partner/agent. 4. Ayers admitted performing CRS work during Commonwealth work hours. C. Ayers failed to disclose his supplementary employment for either A2S or CRS on his Governor's Code of Conduct Statement of Financial Interests documents covering calendar years since 2016. d. Ayers forwarded Commonwealth emails to an email account outside of the Commonwealth network, which appear to contain: I . Commonwealth computer software license, product activation keys, access links and registration materials; and 2. OA-OIT related cyber investigative information. 229. On September 24, 2019, OA determined that Ayers did not utilize, at a minimum, 142.5 hours of annual leave while working on behalf of CRS. a. As a result, OA deducted 142.5 hours (19 days) from Ayers' annual leave allowance. Avers, 19-040 Page 65 230. Ayers in his official capacity as an Information Technology Policy Specialist 2 and an Information Technology Executive 1, was annually required to file a Statement of Financial Interests ("SFI") form by May 1 st containing information for the prior calendar year. a. Ayers was also annually required to file a Governor's Code of Conduct form as an employee of the Executive Branch. 231. Ayers was required to file SFIs for calendar years 2016, 2017, 2018, and 2019 in his capacity as either an Information Technology Policy Specialist 2 or an Information Technology Executive L 232. Ayers was provided with filing reminders by the OA Human Resources Department that were transmitted to employees through the Commonwealth's email system. 233. Ayers filed SFIs electronically for calendar years 2016 through 2018 with OA's Human Resources Department and on the website for the State Ethics Commission for calendar year 2019 with the following disclosures: a. Calendar Year: 2016 Dated: 4/28/2017 on Form SEC-1 REV.01/17 Position: It Policy Specialist II Governmental Entity: Executive Offices Occupation: Analyst Real Estate Interests: None Creditors: Chase Auto Financing, Interest 7.24 % Direct or Indirect Sources of Income: Executive Offices Gifts: None Transportation, Lodging, Hospitality: None Office Directorship or Employment in any Business: None Financial Interests in any Legal Entity in Business for Profit: None Business Interests Transferred to Immediate Family Member: None b. Calendar Year: 2017 Dated: 4/25/2018 on Form SEC-1 REV. 01/18 Position: It Policy Specialist II Governmental Entity: Executive Offices Occupation: Analyst Real Estate Interests: None Creditors: Chase Auto Financing, Interest 7.24 % Direct or Indirect Sources of Income: Executive Offices Gifts: None Transportation, Lodging, Hospitality: None Office Directorship or Employment in any Business: None Financial Interests in any Legal Entity in Business for Profit: None Avers, 19-040 Page 66 Business Interests Transferred to Immediate Family Member: None c. Calendar Year: 2018 Dated: 4/30/2019 on Form SEC-1 REV.01/19 Position: It Policy Specialist 11 Governmental Entity: Executive Offices Occupation: Analyst Real Estate Interests: None Creditors: Chase Auto Financing, Interest 7.24 Direct or Indirect Sources of Income: Executive Offices Gifts: None Transportation, Lodging, Hospitality: None Office Directorship or Employment in any Business: None Financial Interests in any Legal Entity in Business for Profit: None Business Interests Transferred to Immediate Family Member: None d. Calendar Year: 2019 Dated 4/30/20 Position: It Policy Specialist 2, Office of Administration Occupation or Profession: Computers Real Estate Interests: None Creditors: JP Morgan Chase — Car Loan, 4.5 % Direct or Indirect Sources of Income: Cyber Risk Services 41 Susquehanna Ave. Dallas, PA 18612 Robert Ayers Consulting 203 Rock Street Hughestown, PA 18640 Gifts: None Transportation, Lodging, Hospitality: None Office Directorship or Employment in any Business: Robert Ayers DBA 203 Rock Street Hughestown, PA 18612 Position Held: Owner Cyber Risk Services 41 Susquehanna Ave. Dallas, PA 18612 Avers, 19-040 Page 67 Position Held: Consultant Financial Interests in any Legal Entity in Business for Profit: Robert Ayers DBA 203 Rock Street Hughestown, PA 18612 Interest Held: 100 Business Interests Transferred to Immediate Family Member: None 234. The SFIs that Ayers filed for calendar years 2016, 2017, and 2018 failed to disclose income from, employment with, and/or financial interests in CRS. a. Ayers was identified as a consultant and/or threat analyst with CRS beginning in or around 2016 and was directly involved in arranging business for CRS as well as receiving income from CRS. 235. Ayers' SFI for calendar year 2019 disclosed his office, directorship, or employment with CRS and that CRS was a source of income in excess of $1,300.00. a. Income reported from CRS was realized while Ayers was still employed with the Commonwealth. b. The SFI filed by Ayers for the 2019 calendar year was filed after he was notified of the State Ethics Commission investigation. 236. Ayers' SFI for 2019 failed to disclose income from the Commonwealth. a. A W-2 Wage and Tax Statement for Ayers from. the Commonwealth listed his income as $70,935,08. 237. Ayers failed to list income he received from IPSDS in calendar year 2016 for network analysis work performed by Ayers for Chester County. a. The total amount paid was $5,000.00. 238. From 2016 through 2019, while Ayers was an Information Technology Policy Specialist 2 and an Information Technology Executive 1, he was subject to the Governor's Code of Conduct and Statement of Financial Interests. 239. Ayers was required to file Code of Conduct/Statement of Financial Interests forms each year by May I" covering the preceding calendar year. 240. Sections that are required to be completed on a Code of Conduct/Statement of Financial Interests form include the following: Ayers, 19-040 Page 68 a. Personal Economic Interest. b. Business Interests. C. Liabilities. d. Employment (Income Sources). e. Real Property Interests. f. Severance Payments. g. Gifts. 241. Ayers filed Code of Conduct/Statement of Financial Interests forms for calendar years 2016 through 2018 as follows: Calendar Year Date Filed 2016 Electronically submitted 4/28/2017 4:00:02 p.m. 2017 Electronically submitted 4/25/2018 1:48:22 p.m. 2018 Electronically submitted 4/30/2019 9:45:37 a.m. 242. Ayers failed to disclose CRS on his Code of Conduct forms for 2016, 2017, and 2018 as a personal economic interest, business interest, and employment. III. DISCUSSION: As an Information Technology Executive 1 for the Enterprise Information Security Office in the Office of Information Technology within the Governor's Office of Administration ("OA") of the Commonwealth of Pennsylvania ("Commonwealth") from April 8, 2008, until September 24, 2019, Robert A. Ayers, also referred to herein as "Respondent," "Respondent Ayers," and "Ayers," was a public employee subject to the provisions of the Public Official and Employee Ethics Act ("Ethics Act"), 65 Pa.C.S. § 1101 et seq. The allegations are that Ayers violated Sections 1103(a), 1105(b)(5), 1105(b)(8), and 1105(b)(9) of the Ethics Act: (1) When he utilized the authority of his public employment and/or confidential information received through his holding of public employment for the private pecuniary benefit of himself and/or a business with which he is associated, namely Cyber Risk Services, LLC and/or In Plain Sight Digital Security, LLC, when he utilized confidential information and/or his access, influence, and entree to solicit and/or provide information technology security services to various Pennsylvania county governments through a business with which he is/was associated; Avers, 19-040 Page 69 (2) When he utilized Commonwealth resources/property/equipment in furtherance of a private pecuniary benefit/gain; (3) When he utilized his access, influence, and entree with various vendors to secure software products for resale to county governments; (4) When he engaged in business activity for the benefit of himself and/or a business with which he is associated during Commonwealth work hours; and (5) When he filed deficient Statements of Financial Interests ("SFIs") for calendar years 2016 through 2018 when he failed to disclose income from, employment with, and/or financial interests in either Cyber Risk Services, LLC or In Plain Sight Digital Security, LLC, and filed a deficient SF1 for calendar year 2019 when he failed to identify the Commonwealth as a source of income and failed to include his interests in Cyber Risk Services, LLC. Per the Consent Agreement, it appears that the Investigative Division in the exercise of its prosecutorial discretion has elected to nolle pros the allegation in paragraph number 3 above. We therefore need not address that allegation. Pursuant to Section 1103(a) of the Ethics Act, a public official/public employee is prohibited from engaging in conduct that constitutes a conflict of interest: § 1103. Restricted activities (a) Conflict of interest. No public official or public employee shall engage in conduct that constitutes a conflict of interest. 65 Pa.C.S. § 1103(a). The term "conflict of interest" is defined in the Ethics Act as follows: § 1102. Definitions "Conflict" or "conflict of interest." Use by a public official or public employee of the authority of his office or employment or any confidential information received through his holding public office or employment for the private pecuniary benefit of himself, a member of his immediate family or a business with which he or a member of his immediate family is associated. The term does not include an action having a de minimis economic impact or which affects to the same degree a class consisting of the general public or a subclass consisting of an industry, occupation or other group which includes the public official or public employee, a member of his immediate family or a business with which he or a Ayers, 19-040 Page 70 member of his immediate family is associated. 65 Pa.C.S. § 1102. Subject to the statutory exclusions to the Ethics Act's definition of the term "conflict" or "conflict of interest," 65 Pa.C.S. § 1102, pursuant to Section 1103(a) of the Ethics Act, a public official/public employee is prohibited from using the authority of public office/employment or confidential information received by holding such a public position for the private pecuniary benefit of the public official/public employee himself, any member of his immediate family, or a business with which he or a member of his immediate family is associated. Section 1103(a) of the Ethics Act prohibits the use of governmental facilities, equipment, time, and the like for private purposes. See, e.g., Sindiri, Order 1572; Debias, Order 1539; Neff, Order 1498; Morton, Order 1491; Rembold, Order 1417; Cobb, Order 1354; Confidential O ip nion, Order 05-001. Section 1105(b) of the Ethics Act and its subsections detail the financial disclosure that a person required to file the SFI form must provide. Subject to certain statutory exceptions, Section 1105(b)(5) of the Ethics Act requires the filer to disclose on the SFI the name and address of any direct or indirect source of income totaling in the aggregate $1,300 or more. Section 1105(b)(8) of the Ethics Act requires the filer to disclose on the SFI any office, directorship or employment in any business entity. Section I I05(b)(9) of the Ethics Act requires the filer to disclose on the SFI any financial interest in any legal entity engaged in business for profit. The term "financial interest" is defined in the Ethics Act as "[a]ny financial interest in a legal entity engaged in business for profit which comprises more than 5% of the equity of the business or more than 5% of the assets of the economic interest in indebtedness." 65 Pa.C.S. § 1102. As noted above, the parties have submitted a Consent Agreement and Stipulation of Findings. The parties' Stipulated Findings are set forth above as the Findings of this Commission. We shall now summarize the relevant facts as contained therein. Ayers was employed with the Commonwealth as an Information Technology Executive 1 in the Enterprise Information Security Office within OA's Office of Information Technology from April 8, 2008, until September 24, 2019, when he resigned from his Commonwealth employment. Ayers' official duties included supporting all aspects of information technology (IT) security. Ayers directly reported to Commonwealth Chief Information Security Officer Erik Avakian ("Avakian"). On February 1, 2016, Ayers submitted a Supplementary Employment Request form to OA which sought approval for him to work as a consultant for Ayers Security Solutions. On the request form, Ayers reported that he would provide computer security consulting, and he described the work as network intrusion assessments, network security monitoring, virus removal, and Ayers, 19-040 Page 71 remediation and incident investigations. The work listed by Ayers was similar to the work he performed as a Commonwealth employee. Ayers reported that he would complete six to twelve hours of work each week at his home address. Ayers' request for supplementary employment with Ayers Security Systems was subsequently approved. Pamela J. Oliveira ("Oliveira") is Ayers' spouse. Oliveira is the organizer of a company named "Cyber Risk Services, LLC" ("CRS"), which was registered with the Pennsylvania Department of State on February 29, 2016. Although Ayers began doing work for CRS as a threat analyst or consultant in 2016, he never sought approval from OA for supplementary employment with CRS. Ayers' Performance of Consulting Work for Chester County On March 10, 2016, a company named "In Plain Sight Digital Security, LLC" ("IPSDS") was registered with the Pennsylvania Department of State. IPSDS was organized by CRS and MIDA Learning Technologies, LLC ("MIDA") to provide cyber security services to school districts. Oliveira and Michael Speziale ("Speziale") of MIDA were involved in the formation of IPSDS, and Speziale hired Ayers to work for IPSDS as a consultant. During a March 2016 meeting of the County Commissioners Association of Pennsylvania, Avakian had a discussion with Chester County Chief Information Officer Glen Angstadt ("Angstadt") with regard to an apparent increase in network traffic that created a possible eyber security breach for Chester County. It was OA's policy to collaborate with county Chief Information Officers to provide cyber security assistance upon request, and Avakian: informed Angstadt that he would make his staff available to provide an assessment for Chester County. In a conference call with Angstadt and other Chester County employees on March 29, 2016, Avakian told Angstadt that he would send Ayers to Chester County to provide assistance and conduct an assessment. At the direction of Avakian, Ayers went to Chester County in May 2016 to assist with a potential security breach on the Chester County network. Ayers determined that cyber security updates might be necessary, and while he was having discussions with Angstadt, he proposed that he provide a network analysis for Chester County as a paid consultant on behalf of IPSDS. Ayers had access to Angstadt only as a result of his position with the Commonwealth. After Ayers and Speziale visited the Chester County IT Department, Speziale provided Chester County with a proposal for the completion of a network analysis by Ayers as a consultant for a fee of $5,000.00. On May 25, 2016, Chester County approved a $5,000.00 requisition for IPSDS to provide a network analysis. In June 2016, Ayers used a Fidelis XPS Scout portable device to complete a network analysis for Chester County on behalf of IPSDS. A Fidelis sales engineer had loaned the portable device, which could be purchased at a cost of $206,790.00, to the Enterprise Information Security Office for use as a proof of concept in April 2016, and Ayers was able to use the portable device only because he had access to it through his Commonwealth employment. The network analysis report that Ayers provided to Chester County was a dashboard screenshot of a Fidelis XPS Scout report for network traffic analysis. Ayers, 19-040 Page 72 In June 2016, Speziale gave Oliveira total control of IPSDS. On August 26, 2016, IPSDS invoiced Chester County the total amount of $5,000.00 for Ayers' completion of the network analysis. On September 13, 2016, Chester County issued a check in the amount of $5,000.00 to IPSDS. The check was deposited into a CRS business account with M&T Bank, and Ayers received $5,000.00 in income for the work that he performed for Chester County. When Chester County Network Engineer Art Morris questioned Ayers with regard to the findings of his network analysis, Ayers could not provide evidence or documentation to support his findings. Chester County was dissatisfied with the quality of Ayers' work and did not use him to provide any other cyber security -related services: Avers' Provision of Consulting Services to Bucks County On February 11, 2016, Bucks County Chief Information Officer Donald Jacobs ("Jacobs") emailed Avakian, seeking information about a virus found on the Bucks County network. The following day Ayers, as a Commonwealth employee, responded to Bucks County to assist with virus detection and remediation. Jacobs subsequently sent an email to Avakian to thank him for allowing Ayers to provide cyber security assistance to Bucks County. On January 6, 2016, Bucks County had approved a $42,000.00 contract with Donald Brennan & Associates for the provision of IT programming and technical services for 2016. After work under the contract had been completed, Bucks County had funds for the contract that remained unused. In or around the fall of 2016, Jacobs contacted Donald Brennan ("Brennan"), the owner of Donald Brennan & Associates, about the unused contract funds and directed that Brennan subcontract with Ayers/CRS for the balance of the contract. Jacobs was familiar with Ayers only as a result of Ayers' interaction with Bucks County officials and provision of services to Bucks County as a Commonwealth employee. In the fall of 2016, Brennan met with Jacobs, Ayers, and Oliveira to discuss Brennan's subcontract with Ayers/CRS. Brennan agreed to pay CRS from the unused contract funds. On October 27, 2016, CRS submitted an invoice to Brennan for twenty hours of work that Ayers completed for Bucks County. In November 2016, Brennan received a second invoice from CRS for fifty-five hours of work that Ayers completed for Bucks County. In his capacity as a Commonwealth employee, Ayers had exclusive access to a Gigamon Tap device which the Commonwealth had purchased in April 2015 at a cost of $12,761.84, and he used the device to perform work for Bucks County under the subcontract with Brennan. From November 2016 through January 2017, Brennan paid CRS a total of $18,920.00 in unused contract funds for cyber security consulting services provided by Ayers to Bucks County under the subcontract. In or about February 2018, Ayers and Jacobs discussed CRS contracting with Bucks County to provide cyber security consulting services. From. February 2018 through April 2018, CRS provided cyber security consulting services to Bucks County without a contract. On March 7, 2018, CRS invoiced Bucks County a total of $6,000.00 for work that Ayers completed from February 7, 2018, through March 6, 2018. On March 28, 2018, CRS invoiced Bucks County a total of $4,800.00 for work that Ayers completed from March 7, 2018, through March 28, 2018. On May 1, 2018, CRS invoiced Bucks County a total of $8,160.00 for work that Ayers completed Ayers, 19-040 Page 73 from March 29, 2018, through April 17, 2018. Bucks County paid the invoices in full by issuing checks to CRS. The work detailed on the CRS invoice of March 7, 2018, included the implementation of a Gemini Data Systems ("Gemini Data") S-Box Server, which Ayers obtained from Gemini Data by communicating directly with Gemini Data sales representative Julia Yueh ("Yueh"), who he met through his Commonwealth employment. S-Box Servers are secure hardware devices that allow for the installation of Splunk security software. Ayers received training on the use of Splunk security software through his Commonwealth employment. On May 23, 2018, Ayers emailed a "Cyber Security Roadmap" for Bucks County to Jacobs and Bucks County Network Engineer Scott Wilson ("Wilson") which proposed that Bucks County purchase Gemini Data S-Box Servers, Splunk security software, and Carbon Black security software to provide it with a more secure cyber security environment. The Cyber Security Roadmap indicated that the proposed cyber security arrangement could be managed by Bucks County or by CRS as a consultant, with CRS acting as the conduit for hardware support and software support provided by Gemini Data and Splunk, respectively. On July 13, 2018, Ayers emailed a quote to Jacobs and Wilson which proposed that CRS provide five hundred hours of various cyber security services annually at $140.00 per hour. The proposed services included the management and maintenance of Splunk and Carbon Black security components. On October 17, 2018, the Bucks County Commissioners approved a $70,000.00 contract with CRS for the provision of Cyber security services, including management and maintenance of security components, from November 1, 2018, through October 31, 2019. Ayers was able to secure this contract for CRS only because of his prior assignments to provide assistance to Bucks County as a Commonwealth employee. The Bucks County Commissioners also approved a contract with Gemini Data, which resulted in Bucks County purchasing two Gemini Data S-Box Servers. The Bucks County Commissioners additionally approved a contract with a Splunk distributor for the purchase of Splunk security software. CRS received a commission of $2,442.00 from Gemini Data in relation to Bucks County's purchase of Gemini Data products. CRS additionally received a commission in the amount of $1,263.16 from a Splunk wholesaler, Carahsoft Technology Corporation, for Ayers' actions that resulted in the sale of Splunk security software to Bucks County. On February 6, 2019, the Bucks County Commissioners approved a $38,280.00 contract with CRS for the purchase of 2,200 software licenses for Carbon Black security software. CRS realized a profit of $3,894.00 from the sale of the Carbon Black software licenses to Bucks County. On November 18, 2019, CRS received a second commission in the amount of $1,263.16 from Carahsoft Technology Corporation for providing continued customer service for Splunk security software in Bucks County. From March 2018 through February 2020, Bucks County made payments totaling $150,940.00 to CRS for Cyber security work that Ayers performed for Bucks County on behalf of CRS. Ayers was able to secure work/contracts with Bucks County for CRS only because of the Ayers, i 9-040 Page 74 assistance he had provided to Bucks County as a Commonwealth employee. Bucks County severed the business relationship with CRS and Ayers in February 2020. As a full-time Commonwealth employee, Ayers' work hours were from 10:00 a.m. to 6:00 p.m. Between January 1, 2018, and September 24, 2019, Ayers, as a threat analyst or consultant for CRS, corresponded frequently by email with officials of the Bucks County Information Technology Department during his regular Commonwealth work hours. Ayers also communicated by telephone calls or texts with various parties in relation to CRS business during his regular Commonwealth work hours, including: (1) 278 telephone calls with Yueh; (2) 255 telephone calls with Jacobs; (3) 76 telephone calls or texts involving Wilson; (4) 46 telephone calls or texts involving officials of the Bucks County Information Technology Department; and (5) 117 telephone calls or texts involving an account manager for Carbon Black. Additionally, on March 29, 2018, April 13, 2018, and April 4, 2019, Ayers worked onsite at the Bucks County Information Technology Department during his Commonwealth work hours without taking leave. Ayers received a total of $992.70 in compensation from the Commonwealth for the three workdays that he spent performing work for CRS in Bucks County. From 2016 through 2019, a total of $192,547.32 was deposited into a CRS business account with M&T Bank as a result of consulting work that Ayers performed on behalf of CRS. Funds from the CRS business account were used to make payments on a Sam's Club Mastercard that Ayers used to purchase gas, food, and lodging, to make payments to the Pennsylvania State University for Ayers' son's educational expenses, and to make payments on a loan for an automobile owned by Ayers. The Pennsylvania Office of State Inspector General ("OSIG") issued an Investigative Report on September 19, 2019, after conducting an investigation into whether Ayers violated Commonwealth supplementary employment rules through his operation of a private security company since February 2016. OSIG concluded that between January 2016 and December 2018, Ayers notified OA that he would be out of the office on 20 workdays but failed to submit leave. OSIG further concluded that Ayers' supplementary employment presented several potential or actual violations of Commonwealth supplementary employment rules. On September 24, 2019, OA determined that Ayers did not utilize a minimum of 142.5 hours of annual leave for time spent performing work on behalf of CRS. OA accordingly deducted 142.5 hours (19 days) from Ayers' annual leave allowance. Ayers resigned from his Commonwealth employment on September 24, 2019, Ayers' SFIs Ayers, in his capacity as an Information Technology Executive 1, was required to annually file an SFI by May 1 containing information for the prior calendar year. Ayers failed to disclose: (1) IPSDS as a reportable source of income on his SFI for calendar year 2016; (2) CRS as a reportable source of income on his SFIs for calendar years 2016, 2017, and 2018; and (3) the Commonwealth as a reportable source of income on his SFI for calendar year 2019. Ayers additionally failed to disclose his employment with and/or his financial interests in CRS on his SFIs for calendar years 2016, 2017, and 2018. Ayers, 19-040 Page 75 Having highlighted the Stipulated bindings and issues before us, we shall now apply the Ethics Act to determine the proper disposition of this case. The parties' Consent Agreement sets forth a proposed resolution of the allegations as follows: 3. The Investigative Division will recommend the following in relation to the above allegations: a. That violations of Section 1103(a) of the Public Official and Employee Ethics Act, 65 Pa.C.S. § 1103(a), occurred when Ayers utilized confidential information and his access as an Information Technology Executive 1 to obtain contracts with county governments to provide informational technology services resulting in a private pecuniary benefit to himself and Cyber Risk Services, LLC; when Ayers utilized Commonwealth resources/property/equipment, resulting in a private pecuniary benefit to himself and Cyber Risk Services, LLC; and when he engaged in private business activity for Cyber Risk Services, LLC during Commonwealth business hours. b. That a violation of Section 1105(b)(5), (8), and (9) of the Public Official and Employee Ethics Act, 65 Pa.C.S. § 1105(b)(5), (8), and (9), occurred when Ayers failed to disclose income, employment, and/or financial interests in either Cyber Risk Services, LLC and/or In Plain Sight Digital Security, LLC for calendar years 2016, 2017, 2018, and 2019; and when he failed to identify the Commonwealth of Pennsylvania as a source of income for calendar year 2019. 4. Ayers agrees to make payment in the amount of $11,000.00 in settlement of this matter. a. Ayers agrees to make a payment of $10,000.00 payable to the Commonwealth of Pennsylvania and forwarded to the Pennsylvania State Ethics Commission. This payment may be made in monthly installments of no less than $400.00 and must be paid within 24 months from the date this Order is final. The first payment is due within thirty (30) days of the issuance of the final adjudication in this matter. b. Ayers agrees to make a payment of $1,000.00 representing a portion of the costs incurred by the Commission in the investigation and enforcement of this matter, which shall be A_yecs, I9-040 Page 76 made payable to the Pennsylvania State Ethics Commission within sixty (60) days of the issuance of the final adjudication in this matter. This payment may also be paid in conjunction with the payment schedule listed in paragraph 4(a), above (i.e., the first $1,000.00 of the payment plan can be paid towards the portion of costs in this paragraph). 5. Ayers agrees to file complete and accurate amended Statements of Financial Interests with the Governor's Office of Administration, through the Pennsylvania State Ethics Commission, for calendar years 2016, 2017, 2018, and 2019 within thirty (30) days of the issuance of the final adjudication in this matter if he has not already done so. 6. Ayers agrees to not accept any reimbursement, compensation or other payment from the Commonwealth of Pennsylvania representing a full or partial reimbursement of the amount paid in settlement of this matter. 7. As part of this Consent Agreement, the parties have agreed to the State Ethics Commission making a determination to recommend to any law enforcement or other authority to take action in this matter. This does not prohibit the Investigative Division from initiating appropriate enforcement actions in the event of Respondent's failure to comply with this agreement or the Commission's Order or cooperating with any other authority who may so choose to review this matter. Consent Agreement, at 3-4. We accept the recommendation of the parties for a finding that violations of Section 1103(a) of the Ethics Act occurred when Ayers utilized confidential information and his access as an Information Technology Executive I to obtain contracts with county governments to provide informational technology services, resulting in a private pecuniary benefit to himself and CRS; when he utilized Commonwealth resources/property/equipment, resulting in a private pecuniary benefit to himself and CRS; and when he engaged in private business activity for CRS during Commonwealth business hours. Ayers' spouse is the organizer of CRS. In February 2016, Ayers began doing work for CRS as a threat analyst or consultant. In or around March 2016, Ayers was hired to work as a consultant for IPSDS, which was organized by CRS and another entity. While Ayers was performing work for Chester County as a Commonwealth employee in May 2016, he proposed to Chester County's Chief Information Officer that he provide a network analysis for Chester County as a paid consultant on behalf of IPSDS. Ayers had access to the Chief Information Officer only as a result of his position with the Commonwealth. Ayers used the Avers, 1 9-040 Page 77 authority of his public position when he utilized a portable device costing $206,790.00, which he had access to only because it was on loan to the Commonwealth, to complete a network analysis for Chester County on behalf of IPSDS. A check in the amount of $5,000.00 that Chester County issued to IPSDS for the work performed by Ayers was deposited into a CRS business account with M&T Bank. The parties have stipulated that Ayers and CRS realized a private pecuniary gain of $5,000.00 in relation to Ayers' performance of the network analysis for Chester County. After Ayers provided cyber security assistance to Bucks County in his position as a Commonwealth employee, he performed work for Bucks County on behalf of CRS under a subcontract. Ayers used the authority of his public position when he utilized a Commonwealth - owned device costing $12,761.84 to complete the work for Bucks County in the fall of 2016. CRS was paid a total of $18,920.00 for the services that Ayers provided to Bucks County under the subcontract. From February 2018 until April 2018, CRS provided cyber security consultant services to Bucks County without a contract. Bucks County subsequently entered into a $70,000.00 contract with CRS for the provision of cyber security services from November 1, 2018, through October 31, 2019. In addition to payments received under this contract, CRS received commissions from companies in relation to Bucks County's purchase of computer hardware and software recommended by Ayers. In February 2019, Bucks County entered into a $38,280.00 contract with CRS for the purchase of software licenses for security software. From March 2018 through February 2020, Bucks County made payments totaling $150,940.00 to CRS for cyber security work that Ayers performed for Bucks County on behalf of CRS. Ayers was able to secure work/contracts with Bucks County for CRS only because of the assistance he had provided to Bucks County as a Commonwealth employee. As detailed above, between January 1, 2018, and September 24, 2019, Ayers communicated by at least 772 telephone calls or texts with various parties in relation to CRS business during his normal Commonwealth work hours. Ayers additionally received compensation from the Commonwealth for three workdays that he spent performing work for CRS in Bucks County without taking leave. Based upon the Stipulated Findings and Consent Agreement, we hold that Ayers violated Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), when he utilized confidential information and his access as an Information Technology Executive 1 to obtain contracts with county governments to provide informational technology services, resulting in a private pecuniary benefit to himself and CRS; when he utilized Commonwealth resources/property/equipment, resulting in a private pecuniary benefit to himself and CRS; and when he engaged in private business activity for CRS during Commonwealth business hours. Turning to the allegations regarding Ayers' SFIs, we agree with the parties, and we hold, that a violation of Sections 1105(b)(5), (8), and (9) of the Ethics Act, 65 Pa.C.S. §§ 1105(b)(5), (8), and (9), occurred when Ayers failed to disclose income from, employment with, and/or financial interests in either CRS or IPSDS on SFIs for calendar years 2016, 2017, 2018, and 2019; Avers, 19-040 Page 78 and when he failed to identify the Commonwealth as a source of income on an SFl for calendar year 2019. As part of the Consent Agreement, Ayers has agreed to make payment in the total amount of $11,000.00 in settlement of this matter, with $10,000.00 payable to the Commonwealth and $1,000.00 payable to this Commission, as detailed herein. Ayers has agreed to not accept any reimbursement, compensation or other payment from the Commonwealth representing a full or partial reimbursement of the amount paid in settlement of this matter. To the extent he has not already done so, Ayers has agreed to file complete and accurate amended SFIs for calendar years 2016, 2017, 2018, and 2019 with OA, through this Commission, within thirty (30) days of the issuance of the final adjudication in this matter. We determine that the Consent Agreement submitted by the parties sets forth a proper disposition for this case, based upon our review as reflected in the above analysis and the totality of the facts and circumstances. Accordingly, per the Consent Agreement of the parties, Ayers is directed to make payment in the total amount of $11,000.00 as follows: a. A payment of $10,000.00 payable to the Commonwealth of Pennsylvania and forwarded to the Pennsylvania State Ethics Commission. This payment may be made in monthly installments of no less than $400.00 and must be paid within 24 months from the mailing date of this adjudication and Order. The first payment is due by no later than the thirtieth (301h) day after the mailing date of this adjudication and Order. b. A payment of $1,000.00, representing a portion of the costs incurred by this Commission in the investigation and enforcement of this matter, which shall be made payable to the Pennsylvania State Ethics Commission and forwarded to this Commission by no later than the sixtieth (601h) day after the mailing date of this adjudication and Order. This payment may also be paid in conjunction with the payment schedule listed in paragraph (a) above (i.e., the first $1,000.00 of the payment plan can be paid towards the portion of costs in this paragraph). Per the Consent Agreement of the parties, Ayers is directed to not accept any reimbursement, compensation or other payment from the Commonwealth representing a full or partial reimbursement of the amount paid in settlement of this matter. To the extent he has not already done so, Ayers is directed to file complete and accurate amended SFIs for calendar years 2016, 2017, 2018, and 2019 with OA, through this Commission, by no later than the thirtieth (30th) day after the mailing date of this adjudication and Order. Ayers, 19-040 Page 79 Compliance with the foregoing will result in the closing of this case with no further action by this Commission. Noncompliance will result in the institution of an order enforcement action. IV. CONCLUSIONS OF LAW: 1. As an Information Technology Executive 1 for the Enterprise Information Security Office in the Office of Information Technology within the Governor's Office of Administration of the Commonwealth of Pennsylvania ("Commonwealth") from April 8, 2008, until September 24, 2019, Robert A. Ayers ("Ayers") was a public employee subject to the provisions of the Public Official and Employee Ethics Act ("Ethics Act"), 65 Pa.C.S. § 1101 et seq. 2. Ayers violated Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), when he utilized confidential information and his access as an Information Technology Executive I to obtain contracts with county governments to provide informational technology services, resulting in a private pecuniary benefit to himself and Cyber Risk Services, LLC; when he utilized Commonwealth resources/property/equipment, resulting in a private pecuniary benefit to himself and Cyber Risk Services, LLC; and when he engaged in private business activity for Cyber Risk Services, LLC during Commonwealth business hours. 3. A violation of Sections 1105(b)(5), (8), and (9) of the Ethics Act, 65 Pa.C.S. §§ 1105(b)(5), (8), and (9), occurred when Ayers failed to disclose income from, employment with, and/or financial interests in either Cyber Risk Services, LLC or In Plain Sight Digital Security, LLC on Statements of Financial Interests for calendar years 2016, 2017, 2018, and 2019; and when he failed to identify the Commonwealth as a source of income on a Statement of Financial Interests for calendar year 2019. In Re: Robert A. Ayers, Respondent File Docket: 19-040 Date Decided: 12/1/21 Date Mailed: 12/2/21 ORDER NO. 1796 1. Robert A. Ayers ("Ayers") violated Section 1103(a) of the Public Official and Employee Ethics Act ("Ethics Act"), 65 Pa.C.S. § 1103(a), when he utilized confidential information and his access as an Information Technology Executive I for the Enterprise Information Security Office in the Office of Information Technology within the Governor's Office of Administration of the Commonwealth of Pennsylvania ("Commonwealth") to obtain contracts with county governments to provide informational technology services, resulting in a private pecuniary benefit to himself and Cyber Risk Services, LLC; when he utilized Commonwealth resources/property/equipment, resulting in a private pecuniary benefit to himself and Cyber Risk Services, LLC; and when he engaged in private business activity for Cyber Risk Services, LLC during Commonwealth business hours. 2. A violation of Sections 1105(b)(5), (8), and (9) of the Ethics Act, 65 Pa.C.S. §§ 1105(b)(5), (8), and (9), occurred when Ayers failed to disclose income from, employment with, and/or financial interests in either Cyber Risk Services, LLC or In Plain Sight Digital Security, LLC on Statements of Financial Interests for calendar years 2016, 2017, 2018, and 2019; and when he failed to identify the Commonwealth as a source of income on a Statement of Financial Interests for calendar year 2019. Per the Consent Agreement of the parties, Ayers is directed to make payment in the total amount of $11,000.00 as follows: a. A payment of $10,000.00 payable to the Commonwealth of Pennsylvania and forwarded to the Pennsylvania State Ethics Commission. This payment may be made in monthly installments of no less than $400.00 and must be paid within 24 months from the mailing date of this Order. The first payment is due by no later than the thirtieth (30fh) day after the mailing date of this Order. b. A payment of $1,000.00, representing a portion of the costs incurred by this Commission in the investigation and enforcement of this matter, which shall be made payable to the Pennsylvania State Ethics Commission and forwarded to this Commission by no later than the sixtieth (60th) day after the mailing date of this Order. This payment may also be paid in conjunction with the payment schedule listed in paragraph (a) above (i.e., the first $1,000.00 of the payment plan can be paid towards the portion of costs in this paragraph). 4. Per the Consent Agreement of the parties, Ayers is directed to not accept any reimbursement, compensation or other payment from the Commonwealth representing a full or partial reimbursement of the amount paid in settlement of this matter. Ayers, 19-040 Page 81 5. To the extent he has not already done so, Ayers is directed to file complete and accurate amended Statements of Financial Interests for calendar years 2016, 2017, 2018, and 2019 with the Governor's Office of Administration, through this Commission, by no later than the thirtieth (30'h) day after the mailing date of this adjudication and Order. 6. Compliance with paragraphs 3, 4, and 5 of this Order will result in the closing of this case with no further action by this Commission, a. Noncompliance will result in the institution of an order enforcement action. BY THE COMMISSION, Nicholas A. Colafella, Chai