In at least some cases, the answer appears to be yes. The problem is that we don't know how much information is being shared, or how it's being used.
In 2011, Reuters published a story detailing intelligence sharing between the NSA and Wall Street banks in the name of "battling hackers."
The National Security Agency, a secretive arm of the U.S. military, has begun providing Wall Street banks with intelligence on foreign hackers, a sign of growing U.S. fears of financial sabotage.
The assistance from the agency that conducts electronic spying overseas is part of an effort by American banks and other financial firms to get help from the U.S. military and private defense contractors to fend off cyber attacks, according to interviews with U.S. officials, security experts and defense industry executives.
Earlier this year, Keith Alexander, the head of the NSA, argued for greater information sharing between the NSA and private firms, stressing that:
Those companies that do share cyber-threat information with the feds in good faith need "a liability protection so that [they] are not just sued frivolously" for privacy violations.
That's what the CISPA bill,
passed by the House in April and currently stalled in the Senate, would have achieved. Except CISPA was not just focused on corporations funneling information to the government (something that it seems is already happening), but also the NSA sharing data with corporations in the name of protecting against "cyber threats."
How does CISPA define a cyber threat? According to the Electronic Frontier Foundation:
A "cybersecurity purpose" only means that a company has to think that a user is trying to harm its network. What does that mean, exactly? The definition is broad and vague. The definition allows purposes such as guarding against “improper” information modification, ensuring “timely” access to information or “preserving authorized restrictions on access…protecting…proprietary information” (i.e. DRM).
There was a lot of resistance in the web community to CISPA. Less noticed was
President Obama's February 12 executive order on cybersecurity, which established:
New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies. The Executive Order requires Federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner. The Order also expands the Enhanced Cybersecurity Services program, enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts.
Just like terrorism, cyber security is a real threat. But given the global scale of secret data mining occurring under PRISM, you have to question where the line is being drawn. How much data is being shared and for what purposes? It's already been confirmed by the Guardian that
PRISM data is shared with the intelligence agencies of other countries. Clearly this is an angle of the story that deserves more scrutiny.