The NHS declares war on open source · ↗ shkspr.mobi

May 18, 2026 · 2 min read

The UK’s National Health Service (NHS) has responded to advancements in automated AI code scanners by deciding to close nearly all of its open source repositories. As noted by open source advocate and one-time civil servant Terence Eden, the UK’s Government Digital Service subsequently released a report decrying this “closed by default” turn. They summarize the objections like so:

  1. Private repositories can create a false sense of security. Making a repository private can encourage security-by-obscurity thinking, and can reduce the urgency to fix underlying weaknesses.

  2. Closing code after publication may not remove exposure. Where code has been developed in the open, making a repository private later may not remove access for a capable adversary as popular repositories are often mirrored or forked, and even low-profile repositories may already have been indexed or cloned by researchers or attackers.

  3. Closure can become a one-way door. Private repositories reduce reuse and external scrutiny, and over time teams diverge. That makes it harder to make the code public again, because the work required to publish safely and confidently increases.

  4. The same tools can be applied to defence. As discovery accelerates, defence must rely on continuous review, testing and remediation. Openness reinforces this discipline, while avoiding scrutiny does not remove defects and can allow weaknesses to persist.

  5. Openness can surface issues earlier. Public code allows issues to be identified by a wider set of reviewers, including across government and the supplier ecosystem. Closing code concentrates discovery within delivery teams and operational monitoring.

  6. Precedent matters. Broad ‘AI’ justifications for closure are easily copied and, once normalised, they undermine cross-government coherence on reuse and standards.

We are at a fork in the road with the increased availability of AI tools for both cyber offence and defence. Let’s hope most organizations do not take the same route of renouncing open source. It’s especially a shame for the UK, which I’ve always thought of as a leader in open source and open data Hopefully, this hasty decision will be reversed.

Hat tip to Simon Willison.