Technical cooperation with Iran

I’m a big believer in liberal institutionalism, the idea that the development of international organizations that work together, build partnerships, integrate closely, reduces the risk of conflict between states.

This also means I’m very much in favor of international cooperation, and in particular was a big supporter of the Iran deal. While there are risk to any agreement, and I by no means want to ignore legitimate reasons for which the sanctions have been put in place, in my very personal view it’s a valuable tool to limit nuclear weapons propagation and avoid the risk of another outright war in the Middle East.

When earlier this year I was invited to keynote a cyber security conference in Tehran, I did some thinking and reading. Iran, several of its government institutions and some corporations are covered by both UN and US sanctions, and there are good reasons for why some of these were put in place. So it was worthy of some consideration whether my trip would be beneficial overall, or not.

I decided that my small piece of connecting people and their views on others would be beneficial, and I was looking forward to meeting security pros from Iran, with very different, yet similar, problems than I have. When people across countries connect and exchange information, connections and culture, I think overall we have a much better chance at creating an inclusive community where people’s preconceptions of the “other” are challenged. So I accepted.

What I did not realize was that there would actually be quite a bit of paperwork ahead of actually delivering the lecture.

In a way, I hope this blog encourages you to review opportunities to interact with other sensitive countries yourself, evaluate the pros and cons, make your own decision, and perhaps help you along the legal process to make it happen. Even when the simpler or default answer may be to shy away and not do something.

 

Applying for a sanctions exemption

Proper investigation into the process however threw up a few areas of concern. First, Iran is still covered by UN and US sanctions. When on July 14th, 2015, the P5+1 (the five permanent members of the UN Security Council: China, France, Russia, the United Kingdom, and the United States; plus Germany) agreed on the Joint Coordinated Plan of Action (JCPOA), the media was quick to call out that sanctions were now a thing of the past. Hence, originally I didn’t expect too many issues traveling. While I’m not a US Citizen, I am a US Person (an alien admitted to permanent residency), and have to follow US law with regards to doing business with Iran.

However, the JCPOA sanctions were only a small part of the battery of sanctions the United States has in place on business and engagement with the Islamic Republic. The plan applies only to the sanctions put in place after UN Security Council resolution 1696, passed in 2006 to discourage Iran from creating nuclear weapons. Prior to this, in 1979, the United States had put together a sanctions package in response to the Iranian Revolution, which were expanded in 1995 to include firms that have dealings with the government. Various other terrorism- and human rights related sanctions were put in place afterwards.

As I didn’t quite know how to approach this problem, I called a few attorneys focused on sanctions licenses. From these discussions I learned the following:

• In order to present at an academic conference, I still needed to get a license from the Office of Foreign Assets Control (OFAC), the US sanctions authority;
• There are only limited exceptions for content which has been widely presented before, but to avoid issues, in particular on a sensitive topic such as cyber security, it would be unwise to proceed even in this case without a license;
• Applications could take up to 6-9 months, and I probably wouldn’t have enough time to obtain a license;
• My license application would most likely be forwarded by OFAC to the Department of Homeland Security and the State Department for review, as they are the competent authorities on this type of international engagement.

Asking about pricing, it quickly became clear that it would not be affordable for me to retain a sanctions attorney to apply for the license. As I was still very interested in proceeding with the project, I decided to write up my own application instead.

The process is actually remarkably easy. I wrote up a Word document containing a letter of introduction and the reason I was apply, and essentially filled in enough web forms to make it clear that I was the individual applying. You do all of this on the web site of the Department of Treasury, and choose the “Transactional license” to get started.

In my application, I focused on a few things:

• I explained the goal of the conference, the dates, and the organizers;
• I included my letter of invitation by the organizers, and an outline of what I was planning to present on, and what my workshop would cover;
• I included a very specific statement on how I felt my workshop would further US international policy on cyber. In particular I explained the defensive nature of my talk and workshop, how several state department documents and contributions to international meetings show that US policy supports international cooperation and technical exchange on information security matters;
• I included a specific risk reduction statement where I made it clear how my content was difficult to convert into something that could be used to harm others.

I submitted my application, and over the next few weeks, received a few simple requests for follow up information:

• A copy of my resume and overview of how my experience aligned with the talk;
• More information on the dates and venue of the conference.

If you know people at the government agencies that are likely to decide on public policy in your area, it’s probably a good idea to reach out, and make them aware of your plans and what good things they hold.

About 57 days later, it happened!

I got an e-mail from the helpful team at OFAC with a note of approval, and a PDF copy of my license. A few days later, I received a hardcopy in the mail.

Overall, the process was remarkably smooth and I felt the OFAC team was very professional in its investigation and follow-up.

None of the above is intended as legal advice, which I’m not competent nor authorized to give. I highly recommend engaging with an attorney, even if only to interpret the license document you will receive — which has very clear stipulations around how money is allowed to flow to support your work. But I hope it gives you an idea of my experience, and can help support your own work. Feel free to contact me if you’d like to see some of the documents I submitted to get an idea on how to phrase your application.

 

Travel, Immigration and finances

From Europe, travel to Iran is now simple. Prior to JCPOA, only Turkish Airlines and Alitalia still had operating flights from Europe to the country. Afterwards, gradually other airlines either established or re-established an airlink, including Lufthansa, British Airways, KLM and Air France. This was actually noticeable in the business people I met in Tehran. The vast majority of them, in fact virtually all of them were German or French. Tourists I met at the airport were mostly French, Dutch and East Asian. I met no Americans, perhaps a sign of how reluctant United States businesses still are to take advantage of sanctions reductions. May of 2016, the Economist ran a great article about these concerns.

As a Belgian, one of the nice things is that I actually didn’t ne ed to apply for a visa ahead of time. However, the conference was as kind as to help me set it up, and got a visa number from the Ministry of Foreign Affairs ahead of time. Flying in from Frankfurt, upon arrival there are three steps to go through: obtain insurance, go to the VISA line to get a form that tells you how much you need to pay, and finally pay the amount at the bank.

Regarding payment, the Iranian financial system is completely disconnected from the world. There are no practical ways to get money inside the country using credit cards or to cash checks, and you must bring all the money you intend to spend in the country yourself, in cash. Once you’re in the country there are two mechanisms to exchange it: official exchange services, which are spread out across the city of Tehran, or smaller, ad-hoc exchange markets where you haggle and negotiate with others on how much they’ll be willing to pay for your hard-earned dollars.

 

Training

During my trip, which was supported by the conference organizers and the Mobile Telecommunications Company of Iran (MCI), I gave two different sessions:

• A keynote at the International ISC Conference on Information Security and Cryptography at Shahid Beheshti University;
• A full day workshop on security incident response, for various students and professionals from Tehran.

My keynote had as goal to talk through why cooperation, between countries, companies, but also disciplines in information security, is so important. I covered historical incidents, from Brain, a piece of code originally written as a copyright protector by two Pakistani brothers, that turned into the first boot sector infector, over Stuxnet onto the recent large scale DDoS attacks. For each of these attacks, I talked a bit about how the community of defenders came together to initiate their response, contained the incident and recover/defend against future incidents.

I spent a lot of time discussing Stuxnet, since it had the closest ties to the audience. I didn’t get too many questions during the keynote speech, but afterwards had a number of interesting discussions with people that clearly had looked into the code in greater detail.

The workshop was actually more interesting to me personally. The women and men that attended were all incredibly eager to build out or improve their incident response programs. People were very smart and had tons of questions about technical issues. I wasn’t expecting the session to be so interactive, but I had real issues making it through all the material.

Perhaps it was my own prejudice of Iran, but I was also pleasantly surprised by how many women attended the session. The photo above isn’t exactly accurate in that sense, but almost a third of the attendees were women, and they were very active in asking questions and contributing ideas, often more so than the men.

In particular the discussion around detecting security incidents was valuable to me. There was a lot of talent in the room, across varying disciplines. Most interestingly, several of them were hardcore malware analysts with a lot of experience working on targeted attacks. I really only had a few slides in the training on how to detect security incidents, and wasn’t planning to cover it in great detail. However, we talked for over two hours about tools, exchanged experiences on how to detect malware infections across large enterprise networks, and the types of behaviors that would be typical for an intruder present on a network. I learned a lot myself from everyone’s input.

People also were very creative. Due to the sanctions, they often don’t have access to the latest and greatest tools from the west, and have to come up with their own solutions for several technical problems. I saw some technical implementations, in particular around correlating incidents that were unusual but very creative and promising.

One of my favorite moments of the trip was receiving a speaker gift for my keynote from Mohammad Reza Aref, who is the leader of the reformists’ Hope fraction of the Iranian Parliament, and a former vice president of Iran. He himself is an engineer who got his PhD from Stanford University, and then returned to Iran after the Iranian Revolution, and it was great to see him support an information security conference.

Tehran

Most of my trip I spent in Tehran, capital of the Islamic Republic.

A busy Tehran street. In Early 2015, a CBC reporter used audio from a horse drawn carriage in this street, which resulted in a listener writing in that the sound of the carriage made people believe Tehran was stuck in history. I enjoyed seeing locals actually take this mode of transport, as well as cars and motorcycles, to transport their goods away from the Grand Bazaar. It was a nice thing to watch over time while I sat and collected my thoughts from a nearby little bench.

Golestan Palace was originally built in the 16th century in Tehran, and served as the official residence of the Qajar dynasty. Today it’s the largest museum in Tehran, and a great place to visit. In the early 1900’s, parts of the palace were destroyed by Reza Shah, to allow Tehran as a city to continue to grow in its place, but the most significant pieces, such as the Shams ol Emareh (Edifice of the Sun) above were maintained. This building was originally designed to provide panoramic views of the city.

As I mentioned earlier, you have to bring all money you intend to spend physically into the country, as there are no connections to foreign financial systems. This leads to both an official and an unofficial currency market. It also gets a little bit more complex because there is both the Rial, and the Toman, which is no longer an official unit, but is practically used for all large amounts. A Toman is 10 Rial.Small amounts are typically presented in Rial, and large amounts in Toman, but the difference as someone not well versed in the currency is seldom clear.

The gentlemen in the photo above sold and bought USD, EUR and Rial from each other on an ongoing basis, and when you walked over and asked them to exchange some of your money for you, each would give you a different exchange rate. Most significantly worse than official exchange offices, but some actually a bit better.

Everywhere you go in Tehran, you find images next to the road of people that have in some way been instrumental to the country. Most everyone abroad is familiar with images of Ayatollah Khomeini and Khamenei, but there are others too. The above was an image of Mostafa Chamran, the first defense minister of post-revolutionary Iran, who died during the Iran-Iraq war. He was a physicist who spent some time in the 1960’s working in the United States, at Bell Labs and NASA’s Jet Propulsion Laboratory.

A little bazaar in the North of Tehran. Iranian tour guide jokingly said: “Did you not watch Argo!” when he saw me taking a photo. I laughed. People were very friendly in the bazaar, as they’ve been in most marketplaces I’ve ever been.

One thing that stood out throughout the trip was how hard people in Iran worked. The technology professionals I met with often worked long days until 9 or 10pm, and were all very highly trained and educated. However, when they took time off, they seemingly all went out with the entire family. One of the things I enjoyed was how in restaurants, people seemed to typically bring their children, rather than looking for a babysit, as is customary in the United States.

If you like Iranian cinema, which is truly a genre of its own, I highly recommend the Film Museum, which was established under president Khattami. It has lots of exhibitions on early Iranian movie stars, as well as movie production. I think I most enjoyed its large collection of movie posters, where I spent some time looking for movies I’d seen. Iranian cinema tackles some really interesting topics. One of my favorite posters to find was Baran, a 2001 almost entirely silent movie about a 14-year old girl who dresses up like a boy to replace her father at a construction yard.

Esfehan

The Shah Abassi hotel in Esfehan is a traditional caravanserai, which historically supported the flow of information and commerce along the silk road. It was built about 300 years ago and recently renovated to be a very nice hotel in the city. The hotel is built around a square inner courtyard with lots of plants, restaurant tables and fountains.

Naqsh-e-Jahan square is a major square, and a UNESCO world heritage site at the center of Esfehan, constructed in the 16th century. Historically, Tehran has not always been the capital of Iran, and in 1598, Shah Abbas moved the capital of his empire from Qazvin to Esfehan, initiating this square to be the centre of his power.

On each side of the square, one building represents the centre of power: religious, commercial and political. Commerce was represented by the Imperial Bazaar, which runs inside the buildings, covered from the desert heat outdoors. Religion by the Masjed-e Shah mosque, visible in the photo above, and politics was represented by the Shah’s Ali Qapu palace.

There’s one other mosque in the square, the Lotfollah Mosque, a private mosque to the royal court, intended for religious learning by the ruling family.

The Vank Cathedral, is an Armenian cathedral in Esfehan, established in 1606 in dedication to Armenian deportees resettled due to the Ottoman war. It’s famous for a band of murals that describe the life of Jesus, and the pain inflicted by the Ottoman empire on Armenian martyrs.

The inner arches of the Si-o-se Pol bridge are a common place for people of Esfehan to hang out during hot weather. Sadly, the river that is supposed to flow here, Zayanderood, was completely dried out due to several years of dry spells and water diversions for agriculture.

 

Back to the United States

I had a final interesting run-in during my departure from the country. Apparently my visa, which stated validity from September 3rd through 18th, was really only valid for five days. This took me off-guard, as a visa on arrival is typically for thirty days. Because the visa was applied for in advance with a specific length of stay, it was alas a day short for my actual stay.

I didn’t realize this until I showed up at the border, and the immigration officer checking my documents, who unfortunately did not speak English, wouldn’t let me pass and gave me a little note saying “Immigration Police”. I walked over to the desk, right next to the immigration clerks, and was told there I owed a 200,000 Rial fine. Alas, I no longer had enough Rials, and they didn’t accept USD on that side of the border. I was almost sent back out via security to an exchange office, but luckily the bank officer himself was able to do a quick change (at the right rate), and I was on my way. Outside of this minor inconvenience Imam Khomeini was a small and practical airport.

Iranians are very hospitable and welcoming people, and I actually realized this a little bit to my detriment on the very final night. At the airport, I suddenly realized I had received far more gifts than I had the ability to take with me! Looking at the little cart above, the only thing I took into the country was my black roller-bag at the bottom. All other boxes and bags were gifts from the conference organizers, the friendly team at MCI who welcomed me and showed me some of the beautiful parts of Tehran and Esfehan, and many others.

However, I discovered that despite sanctions, it’s actually completely feasible to ship things from Tehran to the United States! I loaded it all in a box, had it shipped to San Francisco, and picked it up there a week later. Walking through the Department of Homeland Security office, the customs officer looked up a bit when I declared goods from Iran, but outside of that he wasn’t even very curious about them.

Contrary to my expectations, when returning to the US, the only question I was asked was “whether I saw any violence”, which struck me as an odd question. Contrary to a trip to Pakistan a few years ago, when I ended up being preselected for security screening for six months after my return, immigration, even as a US permanent resident and not a citizen, was otherwise very quick with no questions asked.