NHS England is preparing to lock down thousands of open-source repositories over fears about an AI security scanner called Mythos. According to Terence Eden, a former government official who worked across GDS, NHSX, and i.AI, a senior technical person at NHS England said they'll be "changing our tack on coding in the open and making our code public" and that "most of our repos, unless they're essential, will be removed for security reasons." Eden has filed a Freedom of Information request to find out what actually drove this decision.
The NHS's own guidance says the move is unnecessary. A guidance note called SDLC-8, sent on April 29th, states that "the majority of code repos published by the NHS are not meaningfully affected by any advance in security scanning" and contain mostly datasets, internal tools, and documentation that couldn't realistically cause security incidents.
The UK's Tech Code of Practice instructs government bodies to "be open and use open source." The NHS Service Standard says there are "very few examples of code that must not be published in the open." During the pandemic, NHSX open-sourced the Covid Contact Tracing App, a nationally critical system on millions of phones. Eden notes that despite scrutiny from hostile powers, "the open source code caused zero security incidents."
The practical case doesn't hold up either. If Mythos already scanned these repos, closing them now does nothing. The code has been copied. Eden points out that AI tools work just as well against closed-source software since they can analyze binaries and probe live websites. Security through obscurity remains bad security.
And nobody has identified who makes Mythos or how it works. An undisclosed AI scanner is now overriding years of government open-source policy, and that opacity should concern people far more than the scanner itself.
Eden has already backed up every NHS repository and says the licenses allow republication if needed. He's urging people to contact their MPs.