Mythos: Backlash builds over NHS plan to hide source code from AI hacking risk
NHS England normally makes the software it develops open source
Mark Thomas/Shutterstock
There is growing backlash over NHS England’s decision to remove open source code created with UK taxpayers’ money due to the risk posed by hacking AI models.
Last month, Mythos, an AI created by technology company Anthropic, was widely reported to be able to discover flaws in virtually any software, potentially allowing hackers to break into the systems running it. NHS England has now told staff that existing and future software must be removed from public view and kept behind closed doors by May 11 due to this risk.
The decision goes against the NHS service standard, which requires staff to make any software they produce open source so that tools can be developed, improved and used without the need for duplicate effort. And experts say removing the code from public view will do nothing to improve security.
Now an open letter calling on NHS England to reverse its decision is attracting hundreds of signatures. At the time of writing, 682 people have signed the letter, including author and digital rights campaigner Cory Doctorow and former UK Health Secretary Matt Hancock, who when contacted for comment by New scientistpointed to a LinkedIn post in which he called the policy a “huge mistake.”
“One of the smartest things the NHS has done in recent years has been to make its code open source. Taxpayers paid for it, so taxpayers should benefit from it,” Hancock wrote. “But the practical case is just as strong: open source code is more rigorously tested, more secure, and allows the best minds around the world to build on it.”
Vlad-Stefan Harbuz, from the University of Edinburgh, UK, is a co-author of the open letter. He has access to Mythos and was part of a group that recently used it to scan open source NHS code for vulnerabilities. They discovered “some relatively serious vulnerabilities” which were responsibly disclosed to the NHS before the decision to remove the open source projects.
“I don’t know if the vulnerabilities we reported were the impetus for this project, but that’s probably part of it,” Harbuz says. “Regular, publicly accessible security audits [large language models] can find the same vulnerabilities that we found. Mythos makes things a little less labor intensive. But the real problem is a systemic underinvestment in cybersecurity, which was the case before Mythos even existed. »
Harbuz believes that backups of all NHS code will still exist and be used to train a variety of AI models, but pulling them from GitHub prevents experts who care about the quality and safety of public services from contributing. “IIt’s the helpers we hurt by making things closed, not the attackers,” says Harbuz.
The UK government-backed AI Security Institute (AISI) investigated Mythos and found that it was capable of attacking only “small, vulnerable, weakly defended enterprise systems”, concluding that there was no indication that a truly secure network or software would be at risk.
Terence Eden, who has extensive experience in the UK civil service in opening up access to public data, agrees that the move makes no logical sense.
“People’s trust in the NHS depends on open, transparent and honest health services. Given that our healthcare relies to a large extent on digital tools, this means that open source is non-negotiable. We have the right to see how these tools work. I strongly urge the NHS to respond positively to the petition and keep its promises to the community,” says Eden.
United Kingdom The Department of Health and Social Care did not respond to a request for comment, while a The NHS England spokesperson repeated its previous statement: “We are temporarily restricting access to some NHS England source code to further strengthen cybersecurity while we assess the impact of rapid developments in AI models. We will continue to release source code where there is a clear need.”
Topics:
:max_bytes(150000):strip_icc()/Health-GettyImages-1312641893-36889076faeb4e979d6fc49b0d697dbd.jpg?w=390&resize=390,220&ssl=1 "10 Signs You Are Dying From Prostate Cancer")
