NHS England’s security response has triggered a transparency fight

NHS England is facing mounting opposition after telling staff that existing and future software should be pulled from public view by 11 May because of concerns that AI systems can identify vulnerabilities in open code. The move, described by critics as both ineffective and damaging, is attracting a growing backlash from technologists, campaigners, and former officials who argue that closing code does little to improve security while undermining transparency and reuse.

At the center of the dispute is a new class of AI-enabled software analysis. According to the source report, concern intensified after reports that Mythos, an AI created by Anthropic, could discover flaws in virtually any software. NHS England’s response was to tell staff that code developed with public funding should be kept behind closed doors rather than openly available online.

The decision cuts against existing policy

The move is controversial partly because it runs directly against the NHS service standard, which requires software produced by staff to be open source so it can be reused, improved, and built upon without duplicated effort. Open-source supporters argue that this approach is not only more efficient for the public sector but often more secure, because more reviewers can inspect and improve the code.

An open letter calling on NHS England to reverse the decision quickly gathered hundreds of signatures, including author Cory Doctorow and former UK health secretary Matt Hancock. In comments highlighted by the report, Hancock called the policy a major mistake and argued that publicly funded code should remain available to the public that paid for it.

We've found a mysterious substance on Titan and Pluto
More in Science

Mystery Compound on Titan and Pluto Points to Shared Chemistry

James Webb Space Telescope data has revealed an unidentified light-absorbing substance on Titan and Pluto, hinting at a shared chemical process on two very different worlds.

Read article

Critics say secrecy is not security

The strongest objection is technical rather than ideological. Experts quoted in the report say withdrawing code from public repositories will not meaningfully improve security. If AI tools can help identify vulnerabilities, defenders can use them as well. More importantly, keeping software private does not remove the flaws; it only changes who can inspect them.

Vlad-Stefan Harbuz of the University of Edinburgh, a co-author of the open letter, said his group had used Mythos to scan open-source NHS code and found a small number of relatively severe vulnerabilities, which were responsibly disclosed before the current policy shift. That detail complicates the story. It suggests the threat is real enough to produce actionable findings, but also supports the critics’ argument that auditing and remediation, not concealment, are the practical responses.

A larger question about public software in the age of AI

The NHS case exposes a broader dilemma that many public institutions will face. Open-source software has long been defended on grounds of efficiency, interoperability, accountability, and security through scrutiny. AI-assisted code analysis changes the economics of scrutiny by lowering the cost of finding bugs for both defenders and attackers. The question is whether that shift invalidates the old open-source logic or makes disciplined maintenance even more important.

NHS England appears to be acting on the assumption that public visibility now creates too much risk. Opponents argue the opposite: when AI makes vulnerability discovery easier, the answer is stronger patching, auditing, and governance, not retreat from openness.

Remarkable fossils rewrite the story of how animals conquered the land
More in Science

Fossil Babies Challenge How Early Tetrapods Grew Up

Newly analyzed 300-million-year-old fossils suggest some early tetrapods skipped the tadpole-like larval stage long assumed to mark the transition from water to land.

Read article

Why this matters beyond the NHS

The fight will matter outside British healthcare because governments everywhere are re-evaluating digital risk under the pressure of increasingly capable AI tools. If a major public institution decides that code openness is no longer tenable, others may follow. If the backlash succeeds, it may reinforce the idea that transparency remains compatible with stronger security, provided institutions invest in modern defensive practices.

For now, NHS England has turned a technical security concern into a high-profile policy test. The underlying fear is understandable: AI may make it easier to find flaws at scale. But critics are pressing a harder question. Is hiding code a genuine defense, or merely a visible reaction to a fast-moving threat? The answer could shape how public sector software is governed well beyond the NHS.

This article is based on reporting by New Scientist. Read the original article.

Originally published on newscientist.com