The House voted to pass a cybersecurity information-sharing bill with the support of the White House on Wednesday, but security professionals and privacy advocates warn that the measure would place sensitive consumer information at risk and would not even protect networks.

Congress has failed to pass significant cybersecurity legislation in recent years due to partisan divisions on whether bills allowing greater sharing of threat data between companies and the government would endanger consumer privacy. The bill, called the Protecting Cyber Networks Act, still faces a vote in the Senate, where supporters say it is expected to have the votes needed to pass after easily advancing by a 307-116 margin in the House .

The bill would offer legal protections to companies that would enable them to share more information about their networks and hacker threats with the government.

Critics of previous cybersecurity bills included Rep. Adam Schiff of California, the ranking Democrat on the House Permanent Select Committee on Intelligence. Schiff, who has characterized the privacy provisions of past bills as inadequate, opened debate Wednesday by announcing his support the legislation in the hope that it could prevent future attacks on U.S. networks.



Congress has been pressured to address cybersecurity after numerous companies suffered data breaches last year, including at JPMorgan Chase & Co., Target Corp., Sony Pictures Entertainment, and health insurer Anthem .

“At some point, we need to stop just hearing about cyber attacks that steal our most valuable trade secrets and our most private information, and actually do something to stop them,” Schiff said.

Privacy protections in the bill are stronger than in previous efforts, he said, while adding that improvements still needed to be made to make sure companies are not given too much immunity if they share unnecessary customer data or if they fail to act on leads about hacker threats.

“We need to further clarify that our liability protection only extends to those who act – or fail to act – reasonably,” he said.

The White House also supported the House bill on Tuesday, signaling President Barack Obama would sign the legislation, but the White House also wants changes made. Along with calling for limits on the collection and sharing of unnecessary consumer data, the administration said giving companies too much legal protection for failing to protect consumer privacy or to act on hacker threat data “may weaken cybersecurity writ large.”

Of particular concern for the White House were provisions in the bill that enable “defensive measures” in response to attacks on networks, including potential counter-hacks against the online criminals. Language enabling “defensive measures” was included in a similar bill called the Cybersecurity Information Sharing Act, which overwhelmingly passed the Senate Intelligence Committee in March on a 14-1 vote.

“The use of defensive measures without appropriate safeguards raises significant legal, policy, and diplomatic concerns and can have a direct deleterious impact on information systems and undermine cybersecurity,” the White House said in a statement.

But Greg Nojeim, senior counsel at the Center for Democracy & Technology advocacy group, said the measure is “written more as surveillance bill rather than a cybersecurity bill.” A group 55 civil liberties groups and think tanks, including the Center for Democracy & Technology, issued a statement Tuesday opposing the House bill .

“The bill authorizes the government to use shared information to investigate and prosecute crimes unrelated to cybersecurity,” he warns, noting the broad scope of the bill’s language.



Opening debate of the bill on Wednesday, Rep. Devin Nunes, R-Calif., chairman of the House Permanent Select Committee on Intelligence, noted that the legislation “does not provide the government with any new surveillance authorities.”

“It only authorizes the sharing of cyber threat indicators and defensive measures – technical information like malware signatures and malicious code,” he said. “In fact, before companies share with the federal government, they must remove all personal information that might be attached to cyber threats. If companies don’t follow those requirements, they will not receive liability protection.”

Despite attempts to boost privacy in the bill, cybersecurity professionals remain convinced that the legislation could share unnecessary information and endanger networks. A group of engineers from firms including Twitter and Cisco on April 16 sent a letter opposing the bill to House and Senate lawmakers, adding that security professionals already share threat data while complying with federal law.

“We do not need new legal authorities to share information that helps us protect systems from future attacks,” the letter reads.