WASHINGTON—Issues of whether business' cyber liability risks should be regulated and privacy protection are standing in the way of needed federal cyber security and privacy legislation, experts say.

Several bills with varying approaches have been vying for lawmakers' attention in recent months.

In April, the U.S. House voted to approve the Cyber Intelligence Sharing and Protection Act, which would help the private sector “defend itself from advanced cyber threats without imposing any new federal regulations or unfunded private sector mandates” as well as provide privacy and civil liberty protections, co-sponsor Rep. Mike J. Rogers, R-Mich., said in a statement.

However, the Obama administration sharply criticized H.R. 3523 and threatened to veto it if it received congressional approval. The bill fails to ensure that the nation's core critical infrastructure is protected; and it would repeal important electronic surveillance law provisions, but have no corresponding privacy safeguards, the administration said.

The administration is backing another bill, the Cybersecurity Act of 2012, that Sens. Joe Liebermann, I-Conn., and Susan Collins, R-Maine, have co-sponsored in the Senate.

S. 2105 calls on the Homeland Security secretary to develop cyber security performance requirements, as well as “appropriate security measures and oversight to protect privacy and preserve civil liberties,” Sen. Lieberman said in a statement.

A rival bill is the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 sponsored by Sen. John McCain, R-Ariz. S. 2151 would allow private entities to voluntarily disclose cyber threat information, but it would prohibit the government from using any disclosed information to regulate an entity's lawful activities.

%%BREAK%%

Legal experts say infrastructure regulatory issues and privacy concerns are the major stumbling block to any legislation on the topic.

“The biggest issue that they're facing is what to do about regulating the critical infrastructure,” which the House bill did not address, said Jessica Herrera-Flanigan, a partner with the Washington-based Monument Policy Group. She also is a former federal prosecutor and senior congressional adviser.

Republicans have objected the Lieberman bill as being “too regulatory in nature” and that “we shouldn't be creating any kind of standard, whether voluntary or required, for the critical infrastructure,” Ms. Herrera-Flanigan said.

Critics of the provisions say the problem is the speed of technological change.

Robert Dix, Washington-based vp of government affairs and critical infrastructure protection for Juniper Networks Inc., said many in the industry feel that by the time a regulatory and compliance regime would be built, the technology would change. That “would slow down our ability to be successful,” he said.

However, Stewart A. Baker, a partner with Steptoe & Johnson L.L.P. in Washington, said setting security standards is a problem the market has not “been solving very well. It's partly because industry doesn't always see the problems until the government points them out,” said Mr. Baker, who is a former assistant secretary for policy at the Department of Homeland Security.

Daren M. Orzechowski, a partner with law firm White & Case L.L.P. in New York, said privacy groups are concerned the House bill “would give broad powers and the ability for private entities and government entities to share a lot of personal information,” which “would effectively negate a lot of the privacy laws and protections that either exist under current legislation or may be coming down the pipeline.”

%%BREAK%%

“Cyber security does need to be addressed certainly, but the bills that are out there right now are bad enough that we opposed them,” said Harley Geiger, policy counsel at the Washington-based Center for Democracy & Technology, which focuses on privacy issues.

One neglected issue in all three bills is the international implications of cyber risks, some observers say.

“Cyber security is a global system and the problems that we are having with threats to our system are not going to be resolved by the United States Congress,” said Jody Westby, CEO and founder of Washington-based Global Cyber Risk L.L.C. In addition, a federal law including such a mandate would “cost business much more in compliance” and pull out money needed for jobs and economic growth, he said.

Partisanship has diminished chances of any legislation passing this year.

“It's a volatile year in politics, and I don't think there's enough cohesiveness in Congress to get something through,” said Celeste King, a founding partner with Walker Wilcox Matousek L.L.P., in Chicago.

“Simply because Congress' track record has been bad over the past few years in passing cyber legislation, plus this is an election year,” means that cyber legislation is unlikely to pass Congress, said Jay Ireland, a partner with Davis Wright Tremaine L.L.P. in Washington.

Paul Rosenzweig, founder of Washington-based Red Branch Law & Consulting P.L.L.C., said the Obama administration has been “insistent upon the regulatory structures” in the Lieberman-Collins bill, but Republicans “won't stomach that.”

Mr. Dix said, however, “I think there's an opportunity to do something if the folks that are involved here would kind of adopt a strategy that says, "Hey, let's agree on some of the arrows in the quiver,' recognizing that that it may not be everything that we need,” while “continuing to work on the areas over which there's disagreement.”