Backlash builds over NHS plan to hide source code from AI hacking risk

NHS England removed its open-source software repositories from public view following concerns that artificial intelligence systems could exploit the code to identify vulnerabilities and launch cyberattacks. The decision targets repositories built by the health service, moving them behind closed access.

The move responds to emerging threats from AI models trained to find security flaws. Tools like Mythos, developed by researchers, demonstrate how machine learning can scan code for exploitable weaknesses faster than human review. NHS officials assessed this risk as substantial enough to warrant restricting access to software that powers parts of the English health system.

Security researchers and open-source advocates have challenged the decision. Critics argue that hiding code reduces transparency and prevents independent security audits that typically strengthen software. Open-source communities rely on distributed scrutiny to catch flaws before attackers exploit them.

The decision also faces pushback from efficiency advocates. Many argue that keeping NHS code publicly available accelerates improvement through community contributions and collaboration. Removing access eliminates this collaborative advantage.

Security experts point out a fundamental problem with the strategy. Obscurity alone does not provide effective protection. Determined attackers with access to the systems using this code can reverse-engineer it, potentially discovering the same vulnerabilities that public access might have exposed to broader review. The move essentially trades community-driven security benefits for security through secrecy, a strategy that cybersecurity research consistently shows fails.

NHS England has not released details on which specific repositories were affected or provided a timeline for potential reinstatement. The decision reflects broader tensions in healthcare IT between openness and operational security. Other healthcare systems have maintained open-source approaches while implementing additional security layers and monitoring.

The incident raises questions about how public institutions should balance transparency requirements with cybersecurity imperatives as AI capabilities advance. Similar debates are occurring across government and critical infrastructure sectors facing comparable threats.

THE BOTTOM LINE: Restricting public access to code makes organizations feel more secure but doesn