In a move that has sparked debate and raised eyebrows, NHS England is scrambling to hide its software from public view, citing fears of AI-powered hacking. This decision, which goes against the organization's own service standards, has left many questioning its logic and potential implications.
The Myth of Mythos
The catalyst for this sudden change in policy is the emergence of Mythos, an AI model developed by Anthropic. Mythos has been touted as a potential game-changer in the world of cybersecurity, with reports suggesting it can identify flaws in virtually any software. However, this very capability has prompted NHS England to take a cautious approach, fearing that Mythos could be used to exploit vulnerabilities in their systems.
A Counterintuitive Move
What makes this decision particularly intriguing is that NHS England's software, created with public funds, has traditionally been made open-source and accessible on GitHub. This practice allowed other organizations to build upon it, fostering collaboration and efficiency. However, the new guidance issued by NHS England demands that all software be kept private, with a strict deadline for making the transition.
The guidance specifically cites Mythos as the reason for this change, stating that public repositories increase the risk of unintended disclosure of sensitive information. But is this fear justified?
Expert Opinions and Misconceptions
The UK government-backed AI Security Institute (AISI) has investigated Mythos and concluded that it poses a limited threat. According to AISI, Mythos is capable of attacking only weakly defended systems, and there is no indication that it could compromise truly secure software or networks.
Terence Eden, an expert with extensive experience in the UK Civil Service, shares a similar view. He believes that the hype surrounding Mythos has caused unnecessary panic within NHS England. Eden argues that open-source software is often more secure precisely because it allows for extensive scrutiny by a wide range of experts.
The Impact of Secrecy
The decision to withdraw software from public view has broader implications. Open-source software for public services promotes trust and transparency. For instance, had the code for the Horizon IT system been public, the Post Office scandal involving innocent individuals accused of theft and fraud might have been averted.
By keeping its software private, NHS England risks losing the benefits of collaboration and the early detection of potential issues. As Eden points out, the code has already been publicly available for years, so attempting to hide it now is akin to locking the stable door after the horse has bolted.
A Step Backwards?
This move by NHS England raises a deeper question about the balance between security and transparency. While it's understandable that organizations want to protect their systems, is this decision an overreaction to the capabilities of AI models like Mythos?
In my opinion, this incident highlights the need for a nuanced approach to AI and cybersecurity. While AI models like Mythos have the potential to identify vulnerabilities, they also have limitations. Relying on fear and secrecy may not be the most effective strategy in the long run.
As we navigate the complexities of an AI-driven world, finding the right balance between security and openness will be crucial. This incident serves as a reminder that we must carefully consider the implications of our decisions, especially when they involve emerging technologies.
