Backlash builds over NHS plan to hide source code from AI hacking risk

NHS England has decided to remove its open-source software from public access due to concerns over hacking risks posed by advanced AI models like Mythos. The AI, developed by Anthropic, has demonstrated the ability to identify vulnerabilities in software, raising fears that malicious actors could exploit NHS systems. Staff have been instructed to withdraw existing and future software from public platforms by 11 May, reversing a longstanding policy that mandated open-sourcing software developed with taxpayer funds. This move has sparked significant backlash from digital rights advocates, cybersecurity experts, and former government officials. Critics argue that making NHS software closed-source undermines transparency, collaboration, and security. An open letter opposing the decision has garnered hundreds of signatures, including from author and campaigner Cory Doctorow and former UK health secretary Matt Hancock. Hancock described the policy as a “huge mistake,” emphasizing that open-source code benefits taxpayers by enabling broader scrutiny, more rigorous testing, and continuous improvement from a global community of developers. Experts involved in the debate highlight that the vulnerabilities Mythos uncovered in NHS code were responsibly disclosed before the decision to pull the software. Vlad-Stefan Harbuz, a co-author of the open letter and researcher at the University of Edinburgh, noted that while AI tools like Mythos make vulnerability detection easier, the core issue lies in chronic underinvestment in cybersecurity. He warned that removing code from public repositories primarily harms those who seek to improve NHS software rather than deterring attackers, as backups of the code will still exist and potentially be used to train AI models. The controversy underscores broader tensions between security and openness in public sector technology. While NHS England aims to protect its systems from emerging AI-driven threats, critics caution that reducing transparency may hinder collaborative efforts to strengthen cybersecurity and innovation within the health service. The debate continues as stakeholders call for more balanced approaches to safeguarding critical digital infrastructure.