Entrepreneurs know the value of a good origin story, a shorthand to explain themselves, their idea, their business journey, and their success. Think of the stripped-down elegance of the seven lines of code behind online payments processor Stripe or the graft that saw Kingspan grow from the backyard of a pub in Co Cavan to a global supplier of building insulation. Creating a business brand is about risk and connecting with people, and part of that is telling the world who you are and why it should care about what you do. 

Corporate lawyers? Not so much. They tend to travel a straighter path; study hard, join a blue chip firm, work non-stop and hopefully climb the ladder to equity partner. The image of the profession’s top players broadly tends to be one of clever, client-focused problem solvers or behind-the-scenes dealmakers. 

But there are always exceptions, like Michael Bahar, a litigation partner in the Washington DC office of international law firm Eversheds Sutherland and co-lead of the firm’s global cybersecurity and data privacy practice. As a reserve US Navy Seal, former legal advisor to the White House’s National Security Council under President Obama, and a peace negotiator with the Taliban in Afghanistan, Bahar has oodles of backstory not to mention security insights straight from the top echelons of the public and private sectors. 

In fact, the Democratic aide only joined Eversheds Sutherland as a key hire in June 2017. Before that he had been working with the US House of Representatives Permanent Select Committee on Intelligence – a position he found hard to leave because the panel’s investigation into Russian interference in the 2016 US election was the “successor to Watergate” and it was like “having to step aside from history”, he told Politico.

On his appointment to Eversheds, the law firm issued a press release noting Bahar’s extensive interactions with the National Security Council, the US Department of Defense, and the US Intelligence Community – including the Central Intelligence Agency (CIA), the National Security Agency (NSA) and US Special Operations Command (SOCOM) – heavily deployed in the war on terror. 

He had also been lead drafter and negotiator on the USA Freedom Act regulating the bulk collection of telecoms data, and on the Cybersecurity Act of 2015, a significant piece of US legislation allowing companies to monitor and defend their information systems as well as offering firms protection measures to encourage information sharing with the federal government and other entities on cyber threats, and on defending cyber threats.

As lawyers go, Bahar really stands out.

When I meet him, it is in a small conference room at the law firm’s Dublin offices on Earlsfort Terrace. He is on a flying visit from London, currently, a base of sorts for him and his wife, the British Tony nominated actress Hannah Yelland who, he tells me, performed at the Gate theatre a few years back (in Joseph O’Connor’s adaptation of Daphne du Maurier’s My Cousin Rachel).

He has an easy manner and plays host by offering me coffee. 

A pernicious form of foreign policy

The purpose of his trip is to meet up with Eversheds colleagues and discuss global trends in data, litigation, and cybercrime. Attendees included Remi Kleiman, a Paris-based partner in the firm’s commercial litigation group; Joos Hellert, a partner and head of dispute management in the Munich office and Marie McGinley, a partner in Ireland and head of intellectual property, technology, and data protection – who he rates highly as an “amazing tech, cyber, privacy lawyer”.

Dublin is just one stop of many in a busy calendar as he checks in on the global cyber team. “We’ve got almost 160 people spread across 33 different countries and 74 different offices. So next week, I’ll be in Houston and Dallas and Austin and San Francisco, and Bulgaria. I was in Bulgaria a couple of weeks ago to visit our new office and our new privacy team there. So it comes with the job,” he said. 

He seems relaxed and unfazed by his demanding schedule or by this interlude with an Irish journalist hoping to pick his brain about security and cyber risks.

Later, a thought leadership dinner with clients awaits. He doesn’t disclose the invite list but agrees tech multinationals will of course be represented.

“Given my background, I can anticipate that people are going to ask a lot about geopolitics and how that’s going to affect them. In cybersecurity, geopolitics often predicts what’s going to happen, whether that is in cybersecurity or in the more pernicious forms of foreign policy, including disinformation campaigns and data manipulation attacks and things like that; not just hacking and stealing data or ransomware.”

I tell him that’s what I was going to ask him about, geopolitical instability, specifically Russia’s invasion of Ukraine.

He predicts the sluggish ground campaign by the Russian forces will lead to a revival of “plausible deniability” as the preferred “strategy among the adversaries”.

“Unlike what you’re seeing with the war in Ukraine, which is a very unusual, overt, conventional war that obviously isn’t working very well, I suspect countries like that [Russia] will go back to so-called active measures, things right below the level of armed conflict whether it’s cyber means to steal intellectual property, or to cause infighting within countries or among countries. But certainly, big tech, big banks, the energy sector are all very much going to be on the front lines of that.” 

Litigators are the first people you want

“Oftentimes in cyber, your greatest strengths are your greatest vulnerabilities.”

Symbols of global capital have often served as potent targets for terrorist organisations, whether it is the 1996 IRA bombing of Canary Wharf or the 9/11 Al Qaeda attack on the Twin Towers that killed 2,753 people. In that respect, cyber warfare is no different. Wreaking havoc on major private entities can be a highly political act. 

Last year, the east coast of the US suffered supply shortages from the hack last year on Colonial Pipeline, the largest fuel pipeline in the US. The FBI blamed the strike on DarkSide, a hacker gang likely based in eastern Europe that develops and markets ransomware for use by other criminal organisations. DarkSide is not understood to be a state-sponsored actor but the hack on Colonial was severe enough to prompt a sector-wide White House response to secure critical energy supply chains in the future. Bahar says Colonial is a classic example of what software can do if you hit the right node, in this case the energy sector.

This is where the Eversheds Sutherland data team steps in, offering a comprehensive service to global clients to diminish the risks of a cyber-attack and mitigate the damage in the event of a breach – be it dealing with reputational scars or expensive enforcement actions.

“Usually the saying is litigators are the last people you want to see. But our view is litigators are the first people you want because you want to plan for the worst and work backwards from there,” Bahar says. 

Eversheds even walks clients through simulated cyber-attacks, an onslaught aimed at testing the human response to a data crisis – like what happens when panic sets in and a multinational is trying to contain the damage while facing different notification requirements for a data breach across multiple jurisdictions; 72 hours under GDPR, six hours under Indian law, two days in Brazil. 

The public-private interface

I ask him for his views on Ireland’s defence vulnerabilities in the cybersphere or even in the traditional military sense, for example protecting important communication infrastructure like the undersea Atlantic telecoms cables off the South West coast.

“Oftentimes in cyber, your greatest strengths are your greatest vulnerabilities, right? Because obviously, Ireland is unbelievably tech forward, unbelievably tech savvy, and there’s a reason all the big tech companies are here and it’s not just confined to tax. It’s not just confined to the fact that post-Brexit, Ireland is the primary English speaking country in Europe. It’s the talent pool. But you know, when you have that greater concentration, some of the world’s leading companies, you become a target. And with cyber in particular, there’s a limit to how much governments can do.”

Arguably last year’s ransomware attack on the HSE suggests the weak spot in Ireland’s armour is the under-resourced public sector rather than the big tech behemoths like Google and Meta with European headquarters in Dublin. 

“What I’ve learned from my time with the House Intelligence Committee or the White House, in cyber, it’s an all hands on deck. It’s a public-private thing and if they don’t work together, any seam is exploitable. So yeah, a lot of great things can happen here. But that means the target, I would expect, to be more focused here than in other places,” he continues.

I ask him what was learned from Russian interference in the 2016 US election and whether the cyber-attack playbook has changed since then.

“There’s a greater understanding of so-called active measures and influence campaigns and what’s needed to defend at a system-wide level against cyber-attacks. But I don’t want to underestimate the power of disinformation campaigns and how effective they still are.”

“It is not like in 2016, the tactics used against us were that novel, I just hope in 2022 and beyond, people get better at recognising them for what they are,” he adds.

He mentions the reports of troll armies that operate in a grey space between the state sponsored and purely criminal. “That’s the business model of many states nowadays. You have this sort of citizen soldier concept to cyber.”

A big concern

I ask him if he has security concerns about the prevalence of Chinese tech firms like Huawei and Tik Tok in the West. 

“An old saying is the greatest SIGIT device, signals intelligence, is the telephone. You just get so much information. Now, people don’t speak on the telephone anymore but they’re conversing and exchanging information through all these technologies and, depending on where they flow and how they’re designed countries with an interest can use that to surveil others,” he said.

“So it is a big concern and I think it has to be very carefully assessed like if you are going to use technologies created in one country to operate critical infrastructure in another country. Or you need to have diplomatic agreements with those countries that – hey you may have the capability but you don’t use it here. And if you do, we’ll kick you out.”

When it comes to the current direction of cyber threats, he again points to nation-state actors using technology to accomplish foreign policy objectives.

“We’re seeing how this sort of conventional war is not really as effective. It’s far more effective to be Voldemort, to be always talked about the same way ISIS did it. Everything that went wrong, people said it must be ISIS. Who knows how much they actually did? Putin did the same thing. This aura about him that everything that went wrong, he must be the grand manipulator, the puppet master. And that’s accomplished through what I talked about, this plausible deniability, just nudging things and pushing things and not ever saying when it’s you and when it’s not. The wink wink nudge campaign is very effective,” he said.

“Another trend is the commoditisation of malware. It was very easy if you wanted to launch your own ransomware attack. You go into the dark web, they’ve got customer service representatives that will talk you through it and you yourself can launch it, you don’t have to actually be a coder or a hacker. You just have to deploy the tools that somebody else has designed for you. 

“So those two trends make it very dangerous. Because you’re defending against the most sophisticated of sophisticated, and you’re defending against those that are coming at you in volume. It’s like that famous saying, if you’re a goalie, you’ve got to stop every one. The striker just has to get through once. So it’s difficult and then there is this model over here, the hybrid that we talked about. They have armies of people who are going out hacking for their own because they know that if the state ever wants them to do something, they have to do it.”

When companies are attacked what is the insurance position, I ask Bahar.

“It’s a rapidly changing question because Lloyd’s of London recently announced that the first quarter of next year, they are going to, in a sense, require exclusions for war and war-like activity. So if you look at what we were just talking about around the nation state, that’s going to be excluded from many insurance contracts. But the question is going to be attribution, how do you tell who it is? And who gets to tell? – Oh, no, that was a state actor. Oh, no, this was that hybrid action, but it was backed by the state. So there’s going to be a lot of flux in the insurance markets and coverage based on this wartime exclusion for cyber security.”

The tech golden goose

“You can turn up regulation to such a point where it doesn’t make business sense to do it.”

On a visit to Dublin last month, Margrethe Vestager, executive vice president of the European Commission said there remained a distrust of Ireland as an effective enforcer of big tech. This followed repeated accusations by its counterparts in other member states that the Data Protection Commission (DPC) is being too lenient in its enforcement of privacy rules on the Irish-based multinationals handling citizens’ data. In one of the most extreme cases, Twitter was fined a mere €450,000 two years after a security breach at its Dublin office in January 2019.

I ask Bahar if he agrees with Vestager and views the DPC as lacklustre in meeting its responsibilities.

“We hear a lot of complaints from other European countries. And we can see certain times when the IDPC is planning to fine it one amount, and then the other countries say no, and the funding goes increasingly greater,” he said.

“But it’s like with everything else you do have to balance the benefits of technology against the risks of technology. I think every regulator is trying to figure that out for themselves. And many of the regulators use the very same technologies that they’re trying to regulate, especially when it comes to the cross border piece. If you read some of these requirements to the logical conclusion, even the regulators themselves would really be able to communicate via certain technology platforms. To move the needle towards greater privacy is one thing, but it can’t be at the expense of the benefits of the technology.”

I suggest it’s the same argument that is made against the UK regulator, the Financial Conduct Authority. There is a perception the FCA is too close to the city of London to fully fight dirty money. It’s about not killing the golden goose.

Bahar doesn’t buy that. He points to California, the home of Silicon Valley, as presumably having the same incentives as Dublin in the tech sector and yet it has the leading privacy regulator in the United States.

I argue California’s place in the tech pantheon is more assured than Ireland’s. He is not convinced.

“Perhaps, but, you know, the US isn’t an island and people can move freely across the states and there are many states in competition with California to try to attract the tech sector. Think Austin, Texas, for example. And, you know, we’re always hearing about the impending tech flight out of California to low tax states or something like that. But we haven’t seen that yet really. You could talk about it from the incentive space, but if you’re talking about it from an evidentiary base, have you seen it yet?”

So tough regulation doesn’t create flight, I ask.

“It may not, right,” he replies. “Obviously, there’s going to be a tipping point. You can turn up regulation to such a point where it doesn’t make business sense to do it.” However, he adds: “If you look at all the advantages of being in Dublin, you can’t just look at one perceived disadvantage and say that’s going to be the straw that breaks the camel’s back. That’s a harder proposition to make.”

He thinks on it a little more and says while he understands Vestager’s criticism and the golden goose argument, it is not borne out in California or New York – which he says has the most aggressive prosecutor. “New York and California are the two largest economies in the United States. California is the fifth largest economy in the world despite the heavy regulatory, heavy tax burden, it’s still the fifth largest economy in the world.”

Goering’s cigars

Our time is running out so I ask him about his decision as a young man to join the US navy. It’s an extraordinary story about his family surviving the Holocaust.

“I was visiting my grandparents in 1997. I’d just graduated from college and they were clearing out their house in Bremen in the north of Germany before full time moving to New York. And my grandfather handed me this box of cigars. He goes ‘read it, look at it’, and it was Hermann Goering’s cigars, the Luftwaffe commander,” he said. 

“Somehow my great-grandfather stole them or somehow got them from the German Luftwaffe commander. He was in the camps as were my grandfather and my grandmother. My grandparents met in the camps. 

“And I took the cigars back with me. Then when I got into law school, Harvard Law School I remember I was working in the State capital of New York, Albany. I sat on the steps of the capital and I smoked one of those cigars and I thought to myself, this is truly amazing. I’m smoking the cigar of somebody who tried to eradicate my family and I never would have existed and here I am in the United States about to go to Harvard Law School. This doesn’t happen anywhere else. I remember just watching the smoke blow up, and I thought to myself ‘now I have to give back. I don’t know how yet’. Then, once I went to law school I figured out how I could, by doing military service. Then my third year of law school began with 9/11. A couple of weeks after that I put in my application for the navy.”

He was commissioned into the United States Navy Judge Advocate General’s Corps (JAG) and according to his Harvard alumni page, began basic training the morning after he sat for the New York State bar exam. He became a litigation associate at Paul, Weiss, Rifkind, Wharton, & Garrison in NYC for ten months before he was called up.

Bahar has seen plenty of active service in the course of a 20-year career as a US Navy Seal. He spent a year at sea on the Nassau expeditionary strike group which conducted anti-piracy operations and was deployed twice in Afghanistan – although he says on the last occasion he spent most of his time in Doha engaged in peace talks with the Taliban.

Then in 2015, he got called up to work for the Obama administration through Paul Weiss, a partner in the law firm he had worked at in New York. Weiss was the Department of Defence general counsel at the time. “He called this Admiral that I worked for, and the two of them nominated me for this position at the White House and I was fortunate enough to get it. So I did that for a couple of years. And then the House Intelligence Committee from there for four and a half years. And now Eversheds.”

I ask him what drew him to the firm.

“I needed a platform that had these global capabilities,” he says. “To be able to service these global companies, in a coordinated and seamless fashion because that’s the only way to do it.”

He praises the Eversheds data and cyber team from Dublin to London, Hong Kong to Germany.

“Again it’s what we talked about. It’s all about the seams, the attackers exploit the seams, the regulators exploit the seams, the class action attorneys exploit the seams and I try to close those seams and prevent bad things from happening.”