FSFE warns: NHS should not depublish open-source code
The Free Software Foundation Europe warns against switching NHS code repositories to private due to fears of AI vulnerability scanning.
The letters AI fly around hooks and warning triangles.
(Image: tadamichi/Shutterstock.com)
Reports indicate that England's National Health Service (NHS England) plans to switch most of its public source code repositories to “private”, warns the Free Software Foundation Europe (FSFE) currently. This appears to be a reaction to concerns that public source code repositories could be scanned for vulnerabilities using Artificial Intelligence.
The FSFE states in a message that an internal policy titled “SDLC-8” requires publicly accessible repositories to be switched to “private” unless an explicit exception is granted. The FSFE sees this as a step in the wrong direction. Taking already published repositories offline does not prevent attackers from analyzing already set-up systems, dependencies, interfaces, and binary files.
Depublishing doesn't make code “unseen”
Depublishing the source codes does not make them unseen, nor does it remove existing copies. Furthermore, it is not an effective security measure. Instead, the step removes a fundamental pillar of security, namely the ability of independent IT experts, IT researchers, and other public institutions to inspect the code, reuse and improve it, and report security vulnerabilities within it, the FSFE explains.
Johannes Näder, Senior Policy Project Manager at the FSFE, also commented: “Depublishing public code is not a security strategy. 'Security through obscurity’ has been debunked as a security measure for a long time. Making repositories private does not protect NHS systems. It only limits who can help find and resolve problems.”
In response to The Register, an NHS England spokesperson said that this is merely a temporary measure to strengthen cybersecurity and assess the impact of the rapid developments in AI models. They will continue to publish source code when there is a clear need.
Videos by heise
One of the FSFE's core demands is that software funded by public money should be published as free software. The previous NHS policies also stipulated this. New source code for public services should be open and reusable, as public services are based on public funds. The regulations for UK authorities also stipulate this, with only narrowly defined exceptions. The FSFE therefore calls on NHS England to withdraw all policies treating source code as private by default and to commit to free software, remaining the standard for publicly funded software.
The FSFE reported problems with a payment service provider for donation processing in March of this year. A solution was found for this.
(dmk)
