By Tim Starks | 05/17/2017 10:00 AM EDT

With help from Eric Geller and Martin Matishak

RANSOMWARE ATTACKS WANING - The ransomware outbreak that raged over the weekend and into Monday, affecting hundreds of thousands of victims in more than 150 countries, finally seems to be slowing down substantially. Jeanette Manfra, the Department of Homeland Security's acting deputy undersecretary for cybersecurity and communications, said the attacks appear to be "dying down," although the occasional variant is still surfacing. In another sign of a return to normalcy, the U.K.'s National Health Service, which was hit hard by the campaign, is no longer diverting patients from accident and emergency units. In the end, the United States didn't suffer much. Manfra said fewer than 10 U.S. companies reported suffering attacks, and none of their operations were affected. Manfra also said no government systems were infected, although a U.S. Army machine might have been.

- BUT THE ISSUE PROMISES TO REVERBERATE: Shadow Brokers, which released the apparent NSA hacking tools that opened the door to the WannaCry ransomware - and before that, at least one one other, according to security researchers at ProofPoint - said it would start a monthly data dump based on a subscription model. Some security analysts were also looking at the next possible NSA hacking tool to wreak havoc, even as many were still puzzling over WannaCry's mechanisms. And the courts and Congress have barely gotten started on a response. There could be a slew of lawsuits, although not against Microsoft, which instead got a tongue lashing from a former U.K. spy chief. A pair of leading House Homeland Security Democrats are seeking a ransomware hearing from Republican subcommittee chairmen, focusing on the health care sector.

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Catch me in my male romper. Send your thoughts, feedback and especially tips to tstarks@politico.com, and be sure to follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.

MORE RANSOMWARE RAMIFICATIONS: FOR NORTH KOREA - "North Korea's hackers already stand accused of disrupting South Korean power plants, trashing Sony Pictures' computers and stealing $81 million from Bangladesh's central bank," Cory writes for Pros. "But if they also caused this past week's global cyber meltdown, the reclusive regime's cyber operatives may have finally gone too far." Why? "The spreading malware crisis' hardest-hit victims include China - the country that some cybersecurity experts say has enabled North Korea's hacking operations by providing network bandwidth and even physical space for thousands of Pyongyang digital warriors to launch attacks on government and corporate computer systems around the world."

- AND ON THE NSA CALL TO KEEP THE HACKING TOOL SECRET: The Washington Post has fresh details on how fearsome NSA officials considered the hacking tool at the root of the ransomware outbreak, and how they still didn't notify Microsoft. "Those entrusted with deploying it marveled at both its uncommon power and the widespread havoc it could wreak if it ever got loose," but the power side won out. Said one former NSA official: "It was like fishing with dynamite."

HOTTER WATER FOR TRUMP OVER COMEY, RUSSIA - Another bombshell from the FBI director firing: "President Trump asked the F.B.I. director, James B. Comey, to shut down the federal investigation into Mr. Trump's former national security adviser, Michael T. Flynn, in an Oval Office meeting in February, according to a memo Mr. Comey wrote shortly after the meeting," The New York Times reports . "'I hope you can let this go,' the president told Mr. Comey, according to the memo. The existence of Mr. Trump's request is the clearest evidence that the president has tried to directly influence the Justice Department and F.B.I. investigation into links between Mr. Trump's associates and Russia." POLITICO confirmed the account with one Comey affiliate, and the White House denied it sought an end to the investigation. Sen. Angus King says Trump is flirting with obstruction of justice and impeachment over the Flynn story, and House Oversight Chairman Jason Chaffetz wants related documents.

NIST EYES IOT FOR ITS CYBER FRAMEWORK - Today is the second day of technical standards agency NIST's latest Cybersecurity Framework Workshop, and researchers are gathering at the agency's headquarters in Gaithersburg, Md., to discuss issues related to the widely used framework. Sessions at the workshop - which will be livestreamed - will explore the international applicability of the document, sector-specific requirements and uses for small businesses. But one of the most closely watched sessions will be "Cyber Meets the Physical World," about the ways the framework can be applied to the internet of things. "We have a lot of different standards in a lot of different areas," Kent Landfield, head of standards and tech policy at security giant McAfee and a participant in the session, told MC in an interview. "Very few of them are very specific, and some of them are much more guidance-focused than they are real detail as to how to do something. So we're going to be dealing with trying to find that balance."

One challenge, Landfield said, is figuring out what security and management lessons from the IoT world can be built into the framework, given that the document is designed with backward-compatibility in mind. "The framework's gained a great deal of acceptance, and as such, [NIST is] much more amenable to adding things into the framework than they are restructuring aspects at this point in time," he said.

A major focus for Landfield will be developing recommendations for securely upgrading products. "It's just the nature of product and software development that these devices are going to have firmware and software issues that have to be addressed," he told MC. "What is the right way to try to deal with these issues, both from the standpoint of being able to incorporate that upgradability capability - that security patching capability - into IoT devices and [in terms of], how does that play into the framework itself?"

J'ACCUSE, RUSSIA - Ukrainian President Petro Poroshenko accused Russia of carrying out a cyberattack on his website in retaliation for Kiev's decision to impose sanctions on a number of Russian internet businesses. "We have been witnessing Russia's response to the presidential decree that mentioned closing access to Russian social media. The website of the president is affected by an organized attack," a government spokesman said in a statement. "The situation is under control thanks to our IT specialists and there is no threat to the work of the website."

Poroshenko has banned more than 400 Russian businesses from operating inside his country. The government said the sanctions aimed to protect against companies "whose activities threaten information and the cybersecurity of Ukraine," Reuters reported. In 2015, suspected Russian hackers caused an hours-long blackout affecting about 80,000 people in the western part of Ukraine.

TODAY: HOUSE VOTES ON MGT ACT - The House is set to vote today on White House-backed legislation aimed at upgrading aging federal computer networks, sponsored by Reps. Will Hurd, Robin Kelly and Gerry Connolly. The IT Alliance for Public Sector said it would count the vote on the Modernizing Government Technology Act (H.R. 2227 ) as a "key vote" for its lawmaker ratings guide published for each session of Congress. "The time is ripe to transform the way the federal government acquires IT, and this bipartisan legislation is a substantial step toward that transformation," Dean Garfield, president and CEO of the organization, wrote in a letter to Speaker Paul Ryan and Minority Leader Nancy Pelosi. "The MGT Act would enable new and much needed methods of providing both IT solutions, including for IT modernization efforts, and funding flexibility to permit the federal government to better keep pace with IT innovation."

MINOR DOCUSIGN BREACH A MAJOR WAKE-UP CALL - Electronic signature provider DocuSign's recent data breach is another reminder of the importance of staying vigilant for spearphishing attacks, security researchers said Tuesday. DocuSign said Monday that hackers had broken into a database and stolen customer email addresses, which the hackers then used to send spearphishing emails purportedly from the company. No DocuSign payment or document data was compromised, the company added. But experts said the compromise pointed to a weak link in the chain of trust between customer and company. "The DocuSign business model relies on a DocuSign branding push via their notification emails, and that makes them and their customers more vulnerable to attacks such as this," said John Gunn, the chief marketing officer at VASCO Data Security. Travis Smith, a senior security researcher at Tripwire, added that while "it's easy to get into a routine and let your guard down," the breach was a "good reminder to raise your guard back up and keep a watchful eye on any suspicious documents coming across your email."

TWEET OF THE DAY - Jimmy Kimmel, finally talking about the issues that matter.

RECENTLY ON PRO CYBERSECURITY - Senate Majority Whip John Cornyn pulled his name from consideration to be the next FBI director. ... Senate Majority Leader Mitch McConnell said he recommended Merrick Garland to lead the agency. ... Sen. Lindsey Graham invited Comey to testify at a Senate hearing. ... Intelligence officials might start holding back material from Trump over his reported relaying of classified information to Russians. ... A neo-Nazi may have posted the fake documents about new French President Emmanuel Macron before his election victory. ... CIA Director Mike Pompeo was expected to brief the House Intelligence Committee on Trump sharing classified information with Russian officials.

QUICK BYTES

- The Health and Human Services Department next week is kicking off development of principles and best practices for health care cybersecurity. CyberScoop.

- A kid hacked an audience's bluetooth devices to manipulate a teddy bear. That's a sentence that exists now. AFP.

- That WhatsApp link isn't to be trusted. Nextgov.

- The WannaCry ransomware has reached at least five U.S. universities. CyberScoop.

That's all for today. It's a conversation starter!

Stay in touch with the whole team: Cory Bennett (cbennett@politico.com, @Cory_Bennett); Bryan Bender (bbender@politico.com, @BryanDBender); Eric Geller (egeller@politico.com, @ericgeller); Martin Matishak (mmatishak@politico.com , @martinmatishak) and Tim Starks (tstarks@politico.com, @timstarks).

To view online:
http://www.politico.com/tipsheets/morning-cybersecurity/2017/05/ransomware-outbreak-slows-but-ramifications-loom-220359

To change your alert settings, please go to https://secure.politico.com/settings/settings

This email was sent to contact@emailingnewsletter.com by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA

Please click here and follow the steps to unsubscribe.