NHS England’s recent move to withdraw open source code developed with taxpayer funds has led to significant backlash due to concerns over computer hacking by AI models.

Recent reports revealed that Mythos, an AI from Anthropic, can identify vulnerabilities in software, potentially enabling hackers to exploit systems using that software. Consequently, NHS England has mandated that all existing and future software must be restricted from public access by May 11 to mitigate these risks.

This shift contradicts NHS service standards, which advocate for software produced by staff to remain open source. This accessibility allows for the enhancement and utilization of tools without redundant efforts, a practice experts argue does not inherently bolster security.

In response, an open letter has amassed hundreds of signatures urging NHS England to reconsider its stance. At present, 682 signatories include writers and digital rights advocates. Notably, Cory Doctorow and former UK Health Secretary Matt Hancock have been approached for comments. Mr. Hancock labeled the initiative a “significant error” in a LinkedIn post, asserting that the decision undermines public investment.

“Opening source code has been one of the NHS’s most forward-thinking strategies. This work was funded by taxpayers; hence they should reap the rewards,” Mr. Hancock noted. “The empirical evidence also supports that open source code is subjected to more rigorous testing, is inherently more secure, and can be enhanced by talented individuals globally.”

“While we cannot confirm if our reported vulnerabilities triggered this course of action, they likely contributed,” Halbs remarked. “Routine security assessments and public disclosures, aided by large language models, can uncover similar vulnerabilities. Mythos merely streamlines the process. The fundamental issue, however, remains a severe underinvestment in cybersecurity, a problem that predates Mythos.”

Halbs speculates that backups of the NHS code will persist, potentially repurposed for training various AI models. Yet, he questions whether restricting access from GitHub will deter professionals dedicated to enhancing the quality and security of public services from contributing. “By closing access, we are alienating our supporters, not our adversaries,” Halbs concluded.

A report by the UK government-backed AI Security Institute (AISI) on Mythos indicated its limitations, revealing it could primarily target “small, poorly defended corporate systems,” and showing no evidence that genuinely secure networks were threatened.

Terrence Eden, a British civil servant with a history of advocating for public data access, criticized the decision as illogical.

“Trust in the NHS hinges on its openness, transparency, and honesty. Given our healthcare system’s reliance on digital technologies, open source is essential. It is our right to understand the operation of these tools. I urge the NHS to heed this petition and uphold its obligations to the community,” Eden stated.

The UK Department of Health and Human Services did not respond to inquiries. Meanwhile, a spokesperson for NHS England reiterated its stance: “To fortify our cybersecurity amid rapid AI model advancements, we are temporarily restricting access to certain NHS England source codes. Nonetheless, we will continue to publicly share source code whenever deemed essential.”