The Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security must fully complete Congress-mandated organizational planning to effectively “identify and respond to cybersecurity incidents” like the Russia-linked SolarWinds hack (see 2012170050), GAO reported Wednesday. Senate Intelligence Committee Chairman Mark Warner, D-Va., and others are drafting a cyber hack reporting measure (see 2103040066). CISA “completed the first two of three phases of its organizational transformation initiative” before Congress’ December deadline but had completed only “about a third of the tasks planned for the final phase” by then, GAO said. Tasks not completed include “finalizing the mission-essential functions of CISA's divisions and issuing a memorandum defining incident management roles and responsibilities across CISA. Tasks such as these appear to be critical to CISA's transformation initiative and accordingly its ability to effectively and efficiently carry out its cyber protection mission.” DHS agreed with GAO’s assessment of CISA’s progress but didn’t fully specify its plans for completing its organizational efforts, the office said.

The FCC alerted China Unicom (Americas) Wednesday that it’s reclaiming three international signaling point codes (ISPCs) held by the company. Two ISPCs (3-194-2 and 3-195-0) haven't been used since May 1, 2020, and the third (3-199-2) since 2009, said an International Bureau letter. The company “simply cannot on its own decide to ‘reserve’ unused ISPCs for possible service that may never be offered and would similarly be considered warehousing of ISPC codes,” the bureau said. The company didn’t comment. Also Wednesday, The Wall Street Journal reported that “due to ongoing concerns from the U.S. government about direct communications links,” a Facebook-led consortium withdrew its bid to build a California-Hong Kong fiber cable to provide internet connection. Facebook didn’t comment.

ICANN should halt work on a policy for access to Whois data, its Intellectual Property Constituency wrote board Chairman Maarten Botterman. The IPC stressed it's committed to using the multistakeholder process to develop a "workable system" for accessing domain name registration data but current recommendations for a system for standardized access/disclosure (SSAD) "are not yet fit for purpose." The most important SSAD recommendations lack community consensus, potentially making them "difficult or impossible to enforce" (see 2010210001). A European Commission proposal to update its cybersecurity directive (NIS2) takes "important steps" toward addressing shortfalls in the domain name system, including access to accurate registration data, it would be inadvisable for the board to permit further work on recommendations that may run counter to EC guidance. "Given that ICANN has repeatedly sought guidance from EU institutions as to how the [general data protection regulation] should be applied to the DNS and domain name registration data, we encourage ICANN to embrace NIS2 as a valuable source of such guidance," the IPC wrote. Congress has been urged to intervene on Whois (see 2102160001). ICANN didn't comment Tuesday.

PayPal agreed to buy Curv, the Israeli cloud-based digital infrastructure company, saying the transaction will “accelerate and expand its initiatives” in "cryptocurrencies and digital assets.” PayPal said Monday it expects the deal to close in the first half of 2021. Financial terms weren't disclosed.

The world technologically “experienced more change” in 2020 than in the previous 10 years, “and there are signs that 2021 will be similar,” said Splunk CEO Doug Merritt on a fiscal Q4 call Wednesday. “We are seeing companies with a strong digital strategy outpacing their peers.” Cybersecurity attacks are growing “at unprecedented levels and scale,” said Merritt. The “magnitude” of the SolarWinds hack (see 2103040066) “hammered home the unsettling but ever-present reality of the digital era that all organizations are likely to get hacked at some point,” he said. Splunk took immediate action at the “onset” of SolarWinds to “enable customers to investigate whether they had been impacted by the attack and to confirm that Splunk itself hadn't been impacted,” he said. Splunk’s cloud revenue for the year ended Jan. 31 was $554 million, up 77%.

The Senate Finance Committee approved by unanimous voice vote Wednesday the nomination of Katherine Tai as U.S. trade representative. Tai appeared to have broad bipartisan backing at her Feb. 25 confirmation hearing (see 2102250043).

Comments are due April 2, replies April 19, in docket 16-155 on FCC-proposed standardized questions for applications on foreign ownership, says Wednesday's Federal Register. The foreign-ownership review process was jump-started by a 2020 White House executive order (see 2009290063).

The European Commission isn't trying to bypass ICANN governance of the domain name system (DNS) through its proposed digital services act (DSA) and cybersecurity package, EC officials said at an ICANN virtual stakeholder briefing Friday. The EC supports the multistakeholder approach and contributes to ICANN discussions through the Governmental Advisory Committee, said Gemma Carolillo, DG Connect deputy head-next-generation internet unit. The legislation's intent is to create legal certainty for domain name registries and registrars on things like Whois accuracy and access to personal registrant information, she said. If the proposals are adopted, the EC plans to issue guidelines that draw on ICANN's policy development work on access to personal data, she said. The EC is counting on ICANN to adopt rules for access to Whois data and start the discussion on ensuring such data is accurate, said Olivier Bringer, next-generation internet unit head. The briefing was on the potential impact of the DSA and cybersecurity measures on ICANN. The legislation would update the 2000 e-commerce directive governing the exemption from liability for illegal content of internet intermediaries (see 2101290006). That directive applies to specific services such as ISPs that act as conduits. The DSA proposes to leave the liability exemption intact but to add new rules requiring due diligence and set harmonized enforcement rules, said Irene Roche Laguna, EC deputy head-e-commerce and platforms unit. The EC considers registrars and registries to be within the DSA's scope and wants to clarify legally that they fall within the liability exception as mere conduits but also that they will have some light due diligence obligations for illegal content, Laguna said.

AT&T said it joined other companies in lobbying the Commerce Department against placing China Telecom on the entity list. AT&T said it provides services involving China Telecom that are essential for U.S. workers and customers. “In providing those services, we comply with all U.S. laws and the laws of the countries where we operate,” AT&T said. “Without a relationship with a licensed Chinese communications company, no non-Chinese provider can serve U.S. companies operating in China. In the absence of that, such support would be provided by a Chinese state-owned enterprise instead of AT&T or any other American company.” The company responded to what it said was a “misleading” report earlier Wednesday by Fox News. The Commerce Department didn’t comment Thursday. A Fox News spokesperson said that "AT&T's statement does not deny the reporting about the company's role in opposing sanctions against a Chinese telecom company. It acknowledges that role."

Annual submarine cable circuit capacity reports are due March 31 for cable landing licensees and common carriers, said a public notice in Wednesday's Daily Digest.