Servers that host internet service for more than 30 state agencies are vulnerable to a cyberattack, according to a legislative audit released this week.

The Maryland State Archives, which oversees the five servers, did not update the operating systems in more than five years, auditors found. Without the protective software patches and updates, Internet service for nearly the entire state government could be at risk, Legislative Auditor Thomas J. Barnickel III said.


Auditors said there was no evidence of hacking, merely a weakness in the system that could hypothetically knock most state agencies offline or direct state Internet traffic to malicious sites. The audit, released Tuesday, also found that the archives had inadequate procedures to prevent loss or employee theft of its $31.4 million art collection.

The report prompted calls for a quick fix from Del. Jon Cardin, a a Baltimore County Democrat, who pointed out that the audit arrived on "the same day Wall Street suffered a near meltdown at the hands of a Twitter hacker."

Stocks tumbled Tuesday when a hacker tweeted from an Associated Press account a bogus report that bombs had exploded in the White House and President Barack Obama had been injured. While the stocks recovered — after a reported $200 billion loss — the incident sparked a nationwide conversation on cybersecurity.

"I am deeply concerned that while we are being threatened by 21st-century cybercriminals, the state is operating in a 20th-century world," Cardin said. "If we are not one step ahead of these cybercriminals, we are at risk."

In a letter responding to the audit, State Archivist Edward C. Papenfuse acknowledged the software weakness and said the agency would apply patches as soon as they become available, as well as acquire new servers that are updated with the most recent software.

Sen. James Rosapepe, a Prince George's County Democrat who co-chairs the Joint Audit Committee, said "the audit confirms common sense that technology is moving so fast that the management and protection of that technology from failure has not caught up."

The weakness of those state servers, Rosapepe said, may provide an opportunity for Maryland to bolster its cyberprotections to be among the most secure in the country. Rosapepe said he considers that goal reasonable given that the state is home to the U.S. Cyber Command and the National Security Agency.

This year, state lawmakers approved $3 million worth of tax credits to companies working on cybersecurity issues.">