Backlash builds over NHS plan to hide source code from AI hacking risk

NHS England has removed open-source software from public repositories to protect against AI-powered hacking, sparking criticism from transparency and cybersecurity advocates.

The health service cited concerns about large language models like Mythos, which can analyze source code to identify vulnerabilities, as justification for restricting access to its publicly available software. The move reflects growing anxiety about malicious actors using AI tools to discover exploitable weaknesses in critical infrastructure.

However, the decision has drawn pushback from security researchers and open-source advocates who argue the strategy is both ineffective and counterproductive. Critics contend that obscuring code through removal offers minimal real protection. Attackers motivated enough to target NHS systems will find alternative ways to access software, whether through archived copies, leaked repositories, or insider information. Security through obscurity has long been dismissed by researchers as a weak defense compared to transparent code review and rapid patching.

The backlash also focuses on collateral damage to legitimate users. Open-source software benefits from public scrutiny. When many eyes examine code, bugs and security flaws surface faster than in closed systems. NHS developers and contractors who previously benefited from transparency and community contributions now face friction in development workflows.

The decision also raises questions about proportionality. While AI-assisted hacking represents a real emerging threat, restricting access to NHS code may address symptoms rather than root causes. Experts suggest that investment in robust security practices, regular auditing, and patching speed matters more than keeping code hidden.

This tension reflects a broader policy challenge: balancing transparency with security in public institutions. The NHS move suggests defensive thinking favoring secrecy, whereas many cybersecurity researchers recommend defensive thinking favoring visibility and rapid response. Whether restricting code access actually reduces breach risk remains unproven.

The NHS decision may also set a problematic precedent for other public sector organizations weighing similar choices about open-source contributions.