ARIN 55 Public Policy and Members Meeting, Day 3 Transcript - Wednesday, 30 April 2025

Skip to main text Jump to related content
This transcript may contain errors due to errors in transcription or in formatting it for posting. Therefore, the material is presented only to assist you, and is not an authoritative representation of discussion at the meeting. If additional clarification and details are required, videos from our original webcast are available on our YouTube channel.

Opening and Announcements

Hollis Kara: Welcome to Day 3 of ARIN 55. Folks are coming into the room. This morning, we have a short agenda.

First of all, though, let’s have a big round of applause for all of our elected volunteers who support the ARIN community – our Advisory Council, our Board of Trustees, and the NRO Number Council. There you go.

(Applause.)

I think we can breeze right through this with just a quick reminder as always. Virtual attendees, please raise your hand or put your questions and comments in Q&A. If you wish to participate in any of the dialogue sessions inside the room, chat is there for you to chat. Virtual Help Desk will be there until 9:30 this morning if you require any assistance.

If Zoom disconnects, try to reconnect, if it doesn’t work, head over to the webcast and await more instructions. If the webcast isn’t there, keep an eye on your email.

In the room, again, welcome to join the Zoom session to talk to the virtual attendees. But if you do so, please make sure to disconnect from audio and mute your device.

When you approach the microphone during any discussion periods, please lead off with your name and affiliation for the benefit of the transcriptionist. Speak slowly and clearly. And, yep, that’s pretty much that.

Everybody should be on the network. Yes? Thumbs up? Thumbs up. Okay. We’re good. If you have a problem, Registration Desk is there. Slides and webcast are available online. We are recording. Live transcription is also available.

This morning, we’ve got a set of department reports, an update on our training initiatives, a short break. And then we’ll come back for a legal update, a report from the Risk & Cybersecurity Committee and then a final Open Microphone before we close.

Again, Standards of Behavior do remain in place. If you have any challenges or issues, do reach out to our ombudsperson, Stacy Lightfoot Goodwin.

She’s here in the room. Her contact details are also available here.

Remember, we’re all here with the same goals in mind, and let’s treat everyone with courtesy and respect as we go through the proceedings.

Alright. More audience participation. Thank you to our Network Sponsor, Spectrum.

(Applause.)

Our Webcast Sponsor, Google. (Applause.)

Our Platinum Sponsor, AWS. (Applause.)

And our Silver Sponsor, IPXO. (Applause.)

With that, to give you a break from me and also because I’d like to feature her charming personality and attitude, let’s bring up Ashley Perks, our Communications Manager, for an update from the Communications Department.

(Applause.)

Department Reports

Communications Report

Ashley Perks: Thanks, Hollis. Hi, I’m Ashley Perks. I’m the Communications Manager here at ARIN, and I’m here to deliver the Communications Report.

Normally Hollis does this, but I do think she may have gotten tired of introducing herself, so here I am.

Let me get my slides. Alright. First things first. Meet the team via our favorite Slack emojis.

Most of us are actually here at ARIN 55. Please feel free to stop and say hi. We’ve got our fearless leader Hollis Kara, cradling a quad Americano probably.

Melissa Goodwin is our Meeting Manager and helps create all of this. Craig Fager is our technical writer who works with our Engineering Department to craft documentation for our services.

Heading up our social media and blog is Christina Paladeau, who is always looking for guest bloggers from our community, hint, hint.

John Davis, our Communications Specialist, is repping the team back home. He serves as our virtual host for the meeting. If you’re a virtual attendee, go ahead and give him a thumbs up because he’s been doing a great job.

Desmond Jackson is here for his first meeting. He’s our Graphic Designer. If you’ve enjoyed any of our meeting designs over the last couple of years, give him a high five at the break.

And we have our two training divas, Beverly Hicks, who is up on the riser, and Alicia DiCiaccio, who is back home in Virginia.

So what is this bunch of grammar nerds up to? I’ll talk a little bit today about our key deliverables and Mailing Lists, how we collaborate internally, an update on our Consultation and Suggestion Process, information on our social media and blog engagement, and some upcoming ARIN events.

First, some 2025 milestones. ARIN 55 and our annual report is in the spring. Next up for us is continuing our outreach and event support and the launch of ARIN Academy, which Hollis will be talking about later this morning.

Coming up in the summer will be Origin AS retirement and development of internal training. And in the fall we’ll be focused on supporting our ARIN elections as well as hosting ARIN 56 in late October.

Earlier this month, we published our 2024 annual report. We did change this up a bit from our previous reports by streamlining a lot of the content and focusing a bit more on statistics. You can check it out by visiting arin.net/annual_reports.

I mentioned Origin AS retirement a few slides back. Just a quick overview. In July of 2023, the Board of Trustees adopted the ARIN-2021-8: Deprecation of the ‘Autonomous System Originations’ Field policy and gave staff two years to deprecate, which means this is going to happen in July of this year.

We’ll be posting monthly reminders about this retirement beginning today as well as informing customers via email and social media posts.

If you need a bit more info, I also encourage you to read our posts on the ARIN blog. Just go to arin.net/blog and search for Origin AS.

Now if you’re interested in receiving service retirement updates like these, I do encourage you to subscribe through the ARIN Announce mailing list.

Some topics that we send out include information about our Fellowship and Grant Programs; Internet community information, such as ICP-2 or Number Resource Organization announcements; ARIN Election information; IPv4 Waiting List updates; and more.

You can subscribe today by scanning that handy QR Code, or you can visit arin.net/mailing_lists to subscribe to it and one of our many others.

We have two different categories of Mailing Lists, discussion and broadcast. Discussion lists are intended for the community to discuss topics. As I’m sure you’ve heard throughout this meeting, the Public Policy Mailing List is meant to discuss Internet number resource policy.

Our General Members Mailing List is open only to our General Members and it’s focused on ARIN governance.

We also have a Technical Discussions list where you can talk about updates to ARIN’s operational tests and evaluation environment or ARIN services.

And our Consultations list is available for discussion and feedback when we have an open consultation. And I’ll talk a bit more about that later.

Our broadcast lists include ARIN Issued, which is a daily report of resources issued by ARIN and resources returned to ARIN. And our Suggestions list notifies our community of any new suggestions that we’ve received as well as any updates to them.

And now available, for a limited time only, we encourage you to subscribe to the ARIN region’s ICP-2 Review Mailing List. You may have heard Nick Nugent deliver his presentation about this earlier this week.

If you missed that, you can scan that QR Code to learn more about ICP-2. And this is one of the ways where you can share your feedback with the NRO NC about the draft text of the governance document. And don’t forget to get those comments in before May 27th.

We collaborate with multiple departments across ARIN. These are just a few of the programs, services, and initiatives that we support, from outreach events to the Fellowship Program, to technical documentation.

Now for some updates on our Consultation and Suggestion Process. Consultations are open for a set amount of time to receive feedback from the community on a proposal, and we really do use that feedback to determine how we move forward.

2024, I like to say, was the year of the consultation, with seven total throughout the year. Our topics range from RPKI BGP intelligence, Registration Services Plan adjustments, API key handling, change notifications for ARIN Online, retirement of FTP at ARIN, reallocation control features, and improvements to Reg-RWS.

We also received 15 suggestions from the community in 2024. This is where you can send a direct request to us for a feature or a change. ARIN staff will evaluate and we may refer the suggestion to a community consultation or our Board, maybe add it to our development roadmap or close the suggestion if it’s out of scope.

Of the 15 suggestions that we received last year, there are eight that are still open for potential implementation.

Now, you may be thinking to yourself, the math is not mathing, eight plus 12 is not 15. And that’s because some of the suggestions we closed in 2024 – which were focused on improvements to ARIN Online, RPKI enhancements and suggestions to our Mailing Lists – were not all submitted in 2024.

In 2025, so far we’ve received three suggestions from our community, two of which were spam.

(Laughter.)

But we have closed three suggestions, two older ones which were completed with the deployment of our IRR auto manager and one which was referred to Community Consultation. So I guess we’re kind of even.

And speaking of that, that suggestion’s consultation is open now. Subscribe to the ARIN Consult mailing list to submit your feedback for AS-SET naming before May 23rd.

And we have two more opening this summer, RWhois retirement planning and API key permissions enhancements. So if AS-SET naming isn’t doing it for you, maybe one of those two will.

Now, on to our social media roundup, thoughtfully prepared by Christina Paladeau. We were pleased to see growth for our channels over the last year, with a moderate increase in engagements for our LinkedIn posts. So thanks to all those who threw us a “like” over the past year.

Our most popular content topics were focused on the Fellowship Program, various announcements and consultations, IPv6, and our blog posts, which was great, because in 2024 we posted 42 articles to our ARIN blog.

Our top posts were related to the business case of IPv6 series, ARIN 53 and 54 Fellows, and our 2024 grant recipients.

So far in 2025, we posted 18 blogs. And we encourage you to check out our recent posts about ARIN’s IRR auto manager and our series on our inclusivity, diversity, and equality at ARIN.

If you do miss a post, email, or announcement, or maybe you just don’t have time to read all the blogs – sorry, Christina – then I highly recommend you check out our quarterly roundup, ARIN Bits. This will give you all of the information that you may have missed as well as details about future events, services, and initiatives.

How do you read the ARIN Blog? There are two ways. You could visit ARIN.net/blog every day to see if there’s a new post, or you could subscribe to the ARIN Blog, where a new post will be automatically emailed to you. Before you worry about us clogging up your in-box, we do send an average of three to four posts on various topics per month. You never know, because one might be of particular interest to you or your organization.

The communications team is a tight-knit group, and we all help each other out with our various projects. There’s no staying-in-your-own-lane culture with us; we are constantly weaving in and out.

We collaborate to define requirements for tools and services, implement communication strategies to educate our customers and community, and we gather feedback and put it to work to improve our methods. After all, you can always improve.

We’ve got upcoming events. Mark your calendars and save that date for ARIN 56, which is being held just after NANOG 95 in Arlington, Texas, on October 30th and 31st. Registration for ARIN 56 is slated to open in late summer.

But sooner than that, you can find me, Eddie Diego, and John Sweeting at an ARIN on the Road event in Montreal on June 17th. Invitations to our Montreal-area customers will be sent in mid-May, so keep your eyes peeled, and we hope to see you there.

You can visit our event calendar at ARIN.net/events to see these and other upcoming Internet industry events.

And with that, I think that’ll do it. Thanks for listening.

(Applause.)

Hollis Kara: Thanks, Ashley. If anybody has any comments or questions for Ashley or I, feel free to approach the mics or start talking. I’ll let her answer. I will.

Anything? Nope. She’s running. She’s gone.

(Laughter.)

(Applause.)

Alright. Thank you, Ashley. Excellent job. Everybody give Ashley another round of applause for her ARIN debut.

(Applause.)

Customer Experience and Strategy Report

Alright. So next speaker is Joe Westover, Director of Customer Experience and Strategy, except for the fact that Joe Westover is still not having a great time.

I’m going to jump in and try to present his slides for you. I appreciate your patience as I go through these. I think I know what’s in here, but let’s take a walk together.

So the Customer Experience and Strategy Report. Here we go. CXS has several primary areas of focus. They run several programs like our Premier Support Plan and Qualified Facilitators Program. They run elections support, member support and public policy support. They work on business process and continuity. They identify and gather and prioritize input into the engineering process. And they also support the Fellowship Program, community grants, and outreach and engagement. So they’re covering a lot of territory and doing a lot of work.

And they do it with a very, very tight team.

So Joe runs the show, with the support of Amanda as his project manager and Marty as his overall team manager. And the rest of the team is flushed out with Eddie Diego, Prabha, and Regi, who are — well, Eddie is here, but the rest of the team is back in Virginia watching online and groaning as I fumble through these slides. They are focused on the policy process and customer success. And they’re all there and they’re great folks to work with. We have the great benefit in Communications of collaborating with them on lots and lots of projects, and they make it really, really effortless.

So two of the main programs that I’d like to spotlight today are our Premier Support Program and our Qualified Facilitator Program.

Now, we launched the Premier Support Plan in 2021. We expanded it in August 2022. When it was launched it was a service that was extended to our 2X and larger organizations, providing them white glove support to manage tickets as well as 24/7 on-call support and a bunch of other things.

In 2022, August, we expanded that to allow smaller organizations to pay a $5,000 fee to subscribe to that program. And it’s going really well. We get a lot of great feedback. One of the great features for us, internally to ARIN, is that quarterly roundtable because it is a great opportunity to get direct, for customers to get direct time with leadership, for us to provide updates and to get some really good feedback on what’s working, what’s not, and where we can make service improvements.

And actually some of those things are things that Ashley just alluded to in consultations that will be coming up later this summer. So it all knits together.

We also have transitioned into the Qualified Facilitator Program in August of 2023 when we retired our old STLS, Specified Transfer Listing Service, and the transfer coordination for facilitators that we offered there. Now we actually do do vetting with all of our qualified facilitators to give a higher degree of confidence to the community in utilizing those services. And we work closely with those folks, even having quarterly roundtables to find out how we can better work together to support transfers in the ARIN region.

A big, big milestone of the year that CXS oversees is our elections. And that’s really, really critical to the mission of the organization. So they provide operational support and overall program management for that project.

Public policy support. As you know and you’ve seen all week, Eddie is here working with our AC to facilitate the policy process and supporting the PDP and making sure all the things happen. And Comms backing him up to make sure everything gets published. And we all work together to make sure that’s a success.

So the process roadmap progression. This is where you’re going to have to bear with me a little bit more. Over the last several years, Joe and Marty and Regi have been working together to build out a process roadmap to kind of help figure out how to pull things from ideas into requirements, into actual solutions that we can work with Engineering to get deployed.

So they have completed that process for how they take that information in, how they review it, and how that is evaluated for prioritization. And they’re continuing to look now into how to improve ARIN’s ticketing processes and our financial services processes to continue to streamline to make things work better both for you as customers and for staff.

And things that are also planned coming up are more of those internal workflow improvements.

We’re looking at ways to streamline and make the ACSP work better at tracking of that, because if you’ve ever gone back and looked at the suggestion log, it is quite long. It’s a bear to track, I’m going to be honest with you.

We’re also looking at changes to notifications that are available in ARIN Online, reallocation control features, customer notification improvements, and lots of other things to just make your lives better as ARIN customers.

While they’re doing all that, because that’s not enough, they’re also overseeing and managing our calendar for community programs and outreach. We run a lot of events cooperatively that are ARIN-hosted, but there’s a lot of customer outreach that happens, going to other industry events, which has been talked about over previous days. And Amanda has the grand task of trying to make sure that calendar stays organized and we stay flying in the right direction and speakers are lined up and presentations are in order. It’s a lot of work when you’re looking at a calendar of oftentimes 30 to 40 events a year. While doing that, we’re also managing ARIN grants. Applications are open now. If you know a project, please ask people to take a look at that and consider applying, and the Fellowship Program, which is well underway for ARIN 55 and will be, almost as soon as we’re done, spinning back up for ARIN 56.

So some of the key priorities, as I just mentioned, looking at those internal workflows; looking at improving ACSPs to make sure we’re getting those suggestions knocked out or addressed as best we can and quickly and that those things get prioritized; to continue to grow our PSP and Qualified Facilitator adoption, getting folks to use those tools and taking advantage of those servicing offerings and maintaining policy alignment; and then enhancing all of our direct outreach and taking that real-time feedback that we get from those engagements to make that information, what we’re bringing to you better and providing the information that you need.

And then also just leveraging some acronyms that I’m struggling to come up with the words for —

From the floor: (Inaudible.)

Hollis Kara: Yeah, see, we’re both lost — to just make sure that, basically that what we’re spending time on and what we’re spending the community’s resources on are the things that are going to be the highest benefit to you.

There’s so many things that folks want for ARIN to do. And there’s so many things that we would like to do. But there’s a cost-benefit that has to happen, and we need to make sure that we are getting the most bang for your buck.

And that is it. I am happy to take any questions or comments. I would suggest maybe you consider emailing Joe. But I know if you’ve got something, John Sweeting will be happy to jump at the microphone and help me out.

(Laughter.)

Kevin Blumberg: Kevin Blumberg, The Wire. It’s awesome to see ARIN streamlining and looking at its processes and saying, hey, we can take these five steps and knock them down to one. It helps you, helps us as the community. You saw it with the transfer timelines yesterday. It was awesome.

I’m actually kind of curious, been around a couple years, the types of tickets that now get opened or closed or whatever, just is 87 percent of all tickets that come into ARIN related to transfers as an example? I’d love to understand the change in the community over the years with the types of things.

Are the requests informational; I need to understand how something works? Or is it more I need to do something?

I’m just kind of curious because when I hit up ARIN very rarely, it’s here’s my specific need, do it, thank you, all done. But I’m probably not the normal person. So I’m kind of curious the types of things that do come into ARIN.

Hollis Kara: No one would accuse you of being normal, Kevin.

(Laughter.)

You made that one easy.

John Sweeting: John Sweeting, Chief Experience Officer.

Hollis Kara: Please take note, John and I are twinning. We did not plan.

John Sweeting: Yes, that’s why she could do this one and not me because you wouldn’t know it wasn’t me —

Hollis Kara: Not at all.

John Sweeting: So CSI is continual service improvement and the PIR is product improvement register? Process improvement register. These are terms Joe uses internally with his team, and it sounds good and they’re doing that stuff. So I’m glad they’re doing it.

To Kevin’s question, most of the tickets that come — there was two suggestions up there. One was about Ask ARIN tickets and Hollis said tickets.

Really for that one it’s really the Ask ARIN tickets, which is kind of the anything you want to ask outside of requests you can use that. And it was very structured and hard to use.

So we’re doing it — it’s being improved to where you’re going to easily be able to tell us, ask us what you want in the tickets. And, also, I believe we’re going to be able to use it to where RSD can initiate tickets to the customers, which today we have no way of doing.

We can initiate tickets for the customer, let the customer pull them back, but we can’t open a ticket to talk to a customer, which we’ll be able to do with that Ask ARIN ticket.

The topics are going to be easier for you, and there’s going to be some freeform in there, so you can actually put in what you want to talk about.

On the number of tickets, transfers are the biggest part of the tickets. We probably do, I don’t know, we didn’t put those stats up, but we can do that at the next meeting.

Hollis Kara: Good question. I’m sorry, that was about Ask ARIN and I kind of blew past it.

Alright. Anything else? No. Seeing nothing, we’ll move on right ahead to the next presentation. I’d like to invite up Erin Alligood our Chief Human Resources Officer to give an update on —

John Sweeting: One second. We do have a Registration Services Department coming up after Erin. Lisa is going to give it. And you’ll get your out of there numbers there, Kevin. I was thinking we were going to do that.

Hollis Kara: Thank you, John. Come on up, Erin. We’re not kidding this time. (Applause.)

Human Resources and Administration Department Report

Erin Alligood: Good morning. John was trying to steal my thunder. As Hollis shared, I want to also highlight, but Hollis did that on the fly for Joe. So let’s give Hollis a round of applause.

(Applause.)

Alright. Good morning, everyone. Welcome to Charlotte and virtually as well. I’m Erin Alligood. I’m ARIN’s Chief Human Resources Officer.

I’m here to present on the latest updates for my team, the Human Resources and Administration team. Here I am.

So we wanted to do something fun and we picked our favorite Bitmojis, highlighting a few of our favorite things. So first I’ll introduce Natalie Harold, our team foodie. Natalie is our HR Generalist. Natalie has been with ARIN for three years. Her responsibilities include payroll and benefits administration, recruiting, onboarding new employees, and helping with other miscellaneous HR projects that we have planned throughout the year.

Next is Lori Gheitanchi, our team baker and chef. Lori is our Facilities and Travel Manager and has been with ARIN for over five years. Lori manages our facility, located in Virginia, and makes all the travel arrangements for the ARIN employees. And she also manages our relationship with our travel agency.

And many of you have already met Melissa Montgomery. Melissa is our world traveler. She is actually in the room right now, so please be sure to stop by to say hello to Melissa. She’s working the Registration Desk at the meeting. And she serves as our Volunteer Support Specialist, providing outstanding administrative and travel support for our ARIN volunteer groups to include the Board of Trustees, the Advisory Council and the ASO AC, as well as booking travel for the ARIN Fellows.

And then acting as our receptionist is Mindy Engstrom, our animal lover. We have that in common, as you see. Mindy has done a wonderful job helping with our office events, receiving and distributing our mail and deliveries and then assisting with calendar items. Both Mindy and Melissa have been with ARIN for almost three years.

So how do we support ARIN? As you can see, we handle a wide variety of responsibilities. Of course, it includes all facets of human resources as well as some of our other responsibilities, to include travel administration and office and facilities management.

So moving into some of our projects over the last year, we had a very productive year in 2024, as you see here. And 2025 is off to a great start.

So in 2024, we successfully conducted our required annual audit for our 401(k) plan for the 2023 plan year, which returned a favorable letter from our auditor. And fun fact, our participation rate in the 401(k) plan is over 90 percent due to ARIN’s very generous employer match of up to nine percent.

Oversight of our 401(k) plan is conducted by the Fiduciary Investment Committee, which consists of: Michael Abejuela, our General Counsel; Richard Jimmerson, our Chief Operating Officer; Brian Kirk, our Chief Financial Officer; and myself.

And the committee just recently conducted a request for proposal process, or an RFP, to evaluate a new 401(k) administrator and record keeper. After careful review of various vendors, we decided on T. Rowe Price and successfully transitioned from Principal, our previous vendor, to T. Rowe Price in September of last year.

With this transition, we were able to streamline some of our processes on the back end as well as save some overall costs for the plan. And most importantly this has been well-received by our employees.

We also completed various training programs in 2024 and in 2025. This included our annual harassment prevention training for all employees and our volunteer groups to include the Board of Trustees, the Advisory Council and ASO AC.

And then in late 2024, we hosted a general management training series with all of our people managers. We have several new managers at ARIN, and we wanted to ensure that all of our people managers have the tools that they need to manage their teams.

As part of this series, we also conducted a management inclusion training that was sponsored and facilitated by an outside vendor. And then all of our employees received inclusion training with the same vendor just this past February.

In this slide, you’ll see that I highlighted an excellent blog by our President and CEO, John Curran, on inclusivity at ARIN. I encourage you to read this blog as John highlights ARIN’s philosophy on inclusion in the workplace and shares our efforts in this area.

Some other projects in 2024 include our salary survey, which is conducted every other year to ensure that our employees are compensated within the ranges within the Washington, D.C. job market and in their positions at ARIN.

We also analyze our benefits, comparing it to other companies and making sure that we’re competitive in that market as well. This overall exercise helps us to retain our current staff and attract new talent at ARIN.

Based on Board guidance, we also recently developed a volunteer-wide Code of Conduct. This conduct will be signed annually by our volunteer groups to include the Board of Trustees, the Advisory Council and ASO AC. While the general community adheres to the participants expected Standards of Behavior, our volunteers have a higher –duty given their roles in the community.

ARIN also sponsored a toy drive with a local charity during the holidays in 2024. This was a very meaningful activity for our employees, where we helped local families give their children a more special holiday. You can read more about this on the website blog that I provided on the slide. And we plan to continue with this effort in 2025 during the holiday season.

Also we hosted an in-person employee workshop to enhance our company Value Statements, which you’ll see on this next slide.

This session was facilitated by an outside vendor where employees contributed ideas to enhance the statement “Our People Matter,” adding elements of inclusion and making the statement more current given its relevance to the employees.

I encourage you to read our Value Statements in full, which you can find on our website. I think by reading the Value Statements you will have a great understanding of what’s important to us as employees and even for our volunteer groups.

As reflected in the Value Statements, our employees are proud to be part of this community and serve ARIN’s mission on a daily basis.

Now moving into some of our employee statistics. Fully staffed, we are currently at 106 employees. And it’s important to note that, based on Board guidance, and our President and CEO, we plan to maintain our current staff levels until otherwise directed.

You can see here in this graph that we have a significant population of tenured employees at ARIN, noted in the 20-plus-year category, 15 to 19 years, 10 to 14, and five -to – nine year category. I’m happy to report that our employee tenure continues to be very strong at an average of nine years.

As always, ARIN continues to actively staff and recruit new talent in the zero to –four year category to support the evolving needs of the community and the organization as a whole.

Alright. So what do we have planned for the remainder of this year and into 2026? We will continue with our inclusion and diversity efforts.

This includes our upcoming required filing of the Equal Employment Opportunity Commission Component-1, filing or EEO-1, since ARIN is now over 100 employees. We will also continue to provide our ombudsperson at the ARIN meetings to ensure productive and safe meeting for the community.

And as noted on the slide, and also as Ashley had mentioned, John Curran published additional blogs related to this area. And I encourage you to take a look at our website to learn more about ARIN’s initiatives with regards to inclusion and diversity.

And then one of our other projects this year will be our 401(k) audit for the 2024 plan year, which is currently underway. And then one of our bigger projects this year and into 2026 will be our Future Workforce Planning Project.

ARIN’s building lease will be expiring in early 2027. So we will be evaluating our future workforce model to help us plan for the type of office space we will need going forward.

We recently conducted an employee survey where we sought input on office use. And we’ll be using that information as a tool to evaluate our needs going forward, as well as other data points to include feedback from our various department directors and executives, and, of course, cost.

I will be excited to share the results of that project in my next presentation next year.

Those are just a few things from my team, and I hope you enjoy the rest of your meeting. That’s it for me.

Hollis Kara: Alright, folks. (Applause.)

Don’t run away, don’t run away. Now is your chance to “ask Erin” without submitting a ticket in ARIN Online.

(Laughter.)

Come on, it was good. If you didn’t think it was funny, it’s Pete’s fault. (Laughter.)

Erin Alligood: I think Kevin left the room.

Hollis Kara: Are there any questions or comments for HR before I let Erin go back and sit down? Thank you, Erin.

Erin Alligood: Thank you, everyone. (Applause.)

Hollis Kara: I don’t know, Pete, I thought it was funny.

Here we go. Next up, Lisa Liedel, with an update from our Registration Services Department.

Take your time.

(Applause.)

Registration Services Department Report

Lisa Liedel: Hello. Let’s talk a little bit about the Registration Services Department and what we’re up to, what we do for you all.

So just a quick overview of, like I said, the services we do, our current volumes. There’s going to be a little bit in here for Kevin about the number of tickets we do.

Some recent improvements, which you’ve probably heard already through some of the other presentations, and some customer experience highlights.

So the Registration Services Department, we do all the resource request tickets, your IPv4, v6, ASNs; transfer tickets – the 8.2s, 8.3s, and 8.4s; and some routing security functions and data accuracy functions, as well as all of the bad Whois reports we get from individuals. We take care of all that as well.

On our team, we’re a small team, but we have our Level 1s, Level 2 and Level 3 Customer Resource Analysts. So we have Marco, Jamcy, Shea, Tiara and Armando. They’re the newest Level 1s. They’re the newest to the group. They’re doing a great job.

Then we have Jenee, Alyson and Emily as our Level 2s. They’re also your Premier Support Analysts. When you are a Premier Support customer, you get a dedicated analyst.

And then Mike Pappano also is a PSP Analyst as well, and he’s our Level 3.

So for our customer engagements, for our ticket counts, we have done almost 6,000 phone calls for individuals, about 1700 live chats. And I think John was explaining that we do chat between 10:00 and 4:00, Monday through Fridays.

Ticketed requests that are related to IPv4 were around 1800; 513 of those ended up on the Waiting List.

Then we did another 1700 requests for Autonomous System Numbers and 1300 IPv6 requests and then 2700 transfer requests. So these are the numbers for tickets that we do.

The 1300 other ticketed requests through the Ask ARIN tickets – which are how do I do things, where do I go to do things, which policy am I applying under – mostly that’s what we get under those.

So throughout the process of Joe and his team working through some improvements to help RSD more quickly address tickets and everything, streamline everything to remove some redundant processes, we were fortunate enough to get a system where we could upload all of our documentation for tickets to the tickets now instead of depending on outside storage systems, such as our network and trying to bounce back and forth, trying to find attachments out on the network and put it into a ticket. It became very bothersome, I guess I’ll say.

Now we have them all in one place. It’s on the ticket. We could get everything that we need. It is much easier for staff to find. So you shouldn’t hear anymore of staff asking for something that you’ve already provided because we’re not trying to hunt everything down anymore. So that should help streamline everything, make the process go a lot quicker for everybody.

We’ve also streamlined our workflow for our checklists and our worksheets that we have been doing, just to make sure that our staff is able to get the information that we need, make sure they have everything done up front. They don’t have to come back, keep asking for something else, especially with the 8.2 transfers, which are a little more time-consuming than most everything else.

So some of the new things that are really helping RSD a lot is the Registry Integrity and Oversight team. That’s going to take a lot of burden off of RSD from having to do Section 12 audits. Those are very, very time-consuming. And while we’re doing those, we’re not able to actually focus on the tickets to get everybody the resources that they need.

So we work closely with Reese and his team now. We can assign them the tickets for Section 12s that need to be done or for anything that we feel might be kind of fraud-related. Reese and his team will take care of that as well.

We’ve also worked with Joe and Hollis and team on decluttering our messaging. I know a lot of messages – we’ve heard this from customers – are a little confusing, there’s too much information, a lot of things that really had nothing to do to make the ticket progress a little quicker. We’ve been working on that, taking out a bunch of the clutter that was in there.

When we had locked all the accounts that did not have multi-factor enabled on them, we needed a way to actually verify the person who was calling to get an account unlocked was actually that person.

Just depending on an answer to a challenge question just didn’t seem right. So we started doing some Zoom calls and asking people to produce a government-issued photo ID. And we found that those who were re-registering domains or trying to take over somebody else’s account, they didn’t want to participate in a Zoom call. So that felt like we were doing something right there.

We’ve talked to 423 people that we’ve unlocked so far. And in those calls, I’ve had several of the customers say that they really wanted to emulate the whole thing because they don’t want to keep personally identifiable information in their systems any more than we do. So they kind of like that process, and they were going to look into that as well.

Most of the customers were very happy that we were doing it, just as an extra layer of security, make sure nobody was trying to get into their account. So they did appreciate that.

A few customers were not happy about it. But once we talked to them and explained why we were doing it and just how valuable their resources are, they did turn around and they were very appreciative of the fact.

And this is just some customer highlights. We do a transaction survey with every ticket that we do. So this comes from those transaction surveys.

And generally customers are very happy with the service that they’ve been receiving. They’re getting timely responses. The responses are clear. They name the staff by name in a lot of their comments, which is very nice. But not everything is always perfect. So we do have room to improve. And we want to hear the good as well as the bad because we do want to improve.

And we still are getting some responses that were not very clear in what we’re saying. They would like it to be a little more clear. Sometimes it seems a very robotic response, which they don’t like as well. So we are going to continue to work on our messaging. But we have done a lot of work to tighten up all of that in our response times. And all of our tickets have improved a lot.

And that’s all I have.

Hollis Kara: Alright. Microphones are open, virtual and here in the room. If you’re online and have a question for Lisa, please start typing. If you have a question here in the room, please approach the microphone.

Alison, we’ll start with you.

Alison Wood: Alison Wood, state of Oregon. I’ve had amazing success with you guys, both over the phone and on email and chat. Super happy with everything we’ve done with ARIN.

Would ARIN ever consider using, like, an AI chatbot to kind of take some of the load off the staff and just let AI handle some of those tickets?

Lisa Liedel: I think we would look into that. I mean, it’s something that we would work with Joe and his team on, as part of the enhancing the service for everybody.

Alison Wood: Thank you.

Hollis Kara: I see JC has a comment on that one.

John Curran: So we’re happy to consult with the community on that. There are some people who feel that an AI chatbot helps them get what they want to get done faster. There’s others who only go and engage with ARIN when they know that what they want to do can’t be done in an automated fashion. And so the AI chatbot is effectively a gateway between them and the analyst they’re trying to reach. So need to be very careful about that in setting expectations.

We will, if people want us to explore that, we’ll do it. Please drop in a suggestion, though, so we do it in a structured manner. People have two sides to that one.

Alison Wood: Absolutely. As a customer, there are things that I know I really don’t want to put anything on ARIN staff to actually do. I know it’s probably just a dumb request and an AI bot could answer.

Lisa Liedel: Never a dumb request.

Kevin Blumberg: Kevin Blumberg, The Wire. I love that you had in there tone, that you’re trying to work on improving tone. Sort of to what Alison said, because I now do this on a fairly regular basis, I use AI to take my words and improve the tone because after having seen the same question 50 times, I get a little snarky.

And to the person who’s asking the question, it’s their first time asking it. And by using it, it’s my same words but in a tone that is nonconfrontational. So it’s a blend and it’s an internal tool. It doesn’t change the answer. The human is still sending that and is still doing it, but it is helpful in that regard.

One of the statistics that I’m kind of curious about was your AS tickets. I think it was 1700 give or take tickets. I know there was a huge change to the AS policy a little while ago for the better. Just made it so much simpler.

So I guess my two questions are, has the number of AS tickets gone up significantly since the new policy came into play, A? And, B, are you rejecting far less tickets now with the new AS policy? That would be my assumption.

It’s great, I think, for the community to understand, hey, we put this new policy in place, and now at RSD, here’s how it’s improving the situation. Otherwise we don’t know.

We make these policies. We make these changes. We think they’re doing a good job. We think they’re doing what they’re supposed to be doing. But it will be really helpful, actually, to know at RSD we got 50 percent more tickets, 88 percent better closure rate, that they were approved. I think for the community that would be very helpful to see.

And when something isn’t working the way it’s expected with the tickets, we’ve got a new policy and it’s really screwing up the process, making it a lot harder, that would be something similar.

I know we’ve got the Policy Experience Report (offscreen comment from audience) – but from a community perspective, how policies that were recently implemented may have an impact – like the Policy Experience Report is negatives usually. We’ve seen down sides, we’ve seen this, we’ve seen – the AS one I would hope would be a positive; we’ve seen a significant improvement would be a great thing to see.

John Sweeting: I can let Lisa answer or I can answer. AS requests have, like, they haven’t decreased at all, but the handling of them is one to two days and they’re done and they’re gone. And the customers are getting what they’re asking for, as long as it’s their first ASN.

And then on the second and third ones, they’re actually giving, taking time to give us the real reason why they need that second or third one and it’s being processed pretty quickly.

It’s really improved the ASN process, but tickets haven’t significantly gone up. We’re still doing about the same number of ASNs as we usually do.

John Curran: More generically, Kevin, are you thinking that you would like to see a Policy Experience Report that includes more postmortem statistics on the impact of policies on ARIN? So if you implement a policy – right now we generally only bring you, “here’s policies that have rough edges or implications or problems or things you might want to look at.”

You’d also like to see, hey, here’s some policies you implemented last year and the year before. Here’s some of the positive impacts that have occurred.

Kevin Blumberg: Yes, and the statistics per se – I’m not looking at it for the purposes of statistics alone; I’m looking at it as, the community did something and actually here’s what happened. We thought it was going to improve the situation for people. In fact, that’s not the case, or, yes, it has improved.

John Curran: Okay. We can work on that.

Hollis Kara: Awesome. Do we have any other questions coming in online? Nothing online.

Seeing nothing further in the room. Thank you so much, Lisa.

(Applause.)

Training Initiatives

Hollis Kara: Alright. Next up, hey, look at that. Training Initiatives. And it’s me.

I feel I’ve given this report a couple of times over the last few years, and I hope nobody’s noticed that we haven’t quite gotten as far as we’d hoped following some of the previous deliveries.

Turns out, getting e-learning up and running is really challenging. But let’s talk about where we are now and what’s coming next, because I do have some good news.

So, to give you some context, training falls under Communications. We’ve got a team of two. We’ve got Beverly Hicks, who is on the riser, and we’ve got Alicia DiCiaccio, who is our Learning Designer, and she’s actually at home recovering from surgery this week, so she couldn’t be here. Apparently building training is a dangerous activity.

But in 2024, in addition to our work to continue to try to get e-learning up and running for this community, we’re also busy doing presentation and production support for meetings and other events, we’re building videos as software changes, doing updates to all the just-in-time learning, training documentation, running webinars, supporting deployments, internal documentation, writing job aids. So we’re having to fit this in on a really full schedule with a really small team. And so, I’d really like to give them a round of applause for all the hard work they do, because it’s a lot of effort.

(Applause.)

Where are we now? I want to go through what we offer, where it lives on the website because sometimes we get questions. I know there’s a ton of information on the ARIN website, and sometimes I’m not even sure where things are. I have to go looking.

And then a sneak preview of what we’re planning to roll out in May.

So what can you do now? Now we have prerecorded webinars that are available on demand on things like IRR, on RPKI basics – and there are actually two levels of that – as well as IPv6 Address Planning. Couple of other things. This is just highlights.

We’ve got how-to help videos that are peppered throughout the site and also found on the YouTube channel on all the basic interactions you do with ARIN. If you’re doing something for the first time, and you’re just trying to get a quick walkthrough before you dig in and start trying to fill out a form online, you can kind of preview that.

And then we have lots of downloadable job aids and shorter handouts that just kind of give overviews or business case for doing things like adopting – deploying IPv6 or implementing RPKI.

So, okay, that’s a lot of stuff. Where the heck is it? If you go to ARIN.net, you will see there’s a tools and references in the top-level navigation.

If you click on that, you will see that Training and Education is the column for this to the right, depending on how you’re looking at the screen, I guess – how you look at it.

In there, like I said, everything is kind of broken out. You’ve got videos. You’ve got these job aids and handouts. And those are there from – we keep those up to date. We review those annually and tweak them to make sure that they’re staying current.

And then we have our on-demand webinars that are available there. And, again, as we move forward, you’ll start to see us retire those on-demand webinars as they become actual e-learning modules. So cool but where the heck is that going to be?

Well, there’ll be a drop point to access that that gets published right in that same space. And what you will find there, hopefully, coming sometime in the latter half of May is our launch of our LMS, ARIN Academy.

This is a baby training center. So you can’t really compare us to folks that have been doing this for decades or have huge teams that are involved in developing training. But we did want to make sure we had some good content out there before we launched.

So, we’re going to be launching with two modules and working from there to develop more. And when you log in, you’ll be able to complete those courses.

You’ll be able to earn badges and certificates, track your progress.

And as we continue to move forward there will be particular packages that we deliver for certain audiences. And we’ll start to kind of push those towards particular customer groups as they become available.

But the two courses we’re going to launch with are Getting Started With ARIN and Using Hosted RPKI. There’s something that I wanted to point out that’s kind of distinct – a distinct difference between these two modules.

The first, Getting Started With ARIN, is actually leveraging some cool capabilities that exist inside the LMS that we selected. And basically what we’ve been able to do is import a lot of our just-in-time videos and compile them into a set of modules with some knowledge checks and things like that. But it’s going to look familiar if you’ve seen those videos.

And we actually do have a plan after this initial launch to go back and actually transition that into more fully designed e-learning, what you think of when you go in and look at those courses.

It’s a little bit simplified but it gets the point across. And the information is all there, and we’re just structuring that into a different format.

Now, our hosted RPKI training is going to be the show pony as we launch. It is a fully designed e-learning module. It’s really cool. We’ve been working closely with Brad to make that happen. And I think that folks that are just getting started are going to enjoy that.

And once those things are out and available to our customers, we’re going to start working on IPv6 Address Planning, more next steps with RPKI modules, IRR, policy, and that and more is where you guys come in.

If there are specific topics that you think ARIN should be developing e-learning on, please email training@ARIN.net. We’d love to know so that we can get it on the roadmap.

Now, a quick run through of some of the training deliverables for 2025. I showed you all the things that we were doing in 2024. We still have all those things to do.

This year we’re focused also on some internal training objectives. We are building, as Christian mentioned the other day, a specific-to-ARIN cybersecurity course for our staff. We’ll continue to work with HR to support their compliance training needs, hosting those on LMS.

And, again, we’re getting ready to launch Getting Started With ARIN and the Using Hosted RPKI. And then we’ll be hopefully following up with the IPv6 Address Planning module on or around the time of the fall meeting.

And, as I said, still we’re doing all the things we always do. We’re supporting deployment; we’re building documentation and job aids; we are helping support all of our outreach and programs; building job aids for events, the RPKI ROAthon, the Deployathon that we hosted this week – there was a great job aid, if you participated. That’s something that we worked with Brad to put together. And also then continuing with event production. As you can imagine, event production is a big thing.

So that’s it. That’s where we are with training. That’s what’s coming. And I’m really interested either here now or afterward, like I said, email training@arin.net.

Happy to take questions or comments at this time. Microphones are open in case it wasn’t obvious. Go ahead, Kevin.

Kevin Blumberg: Kevin Blumberg, The Wire. Audience. I love some of the new training stuff that you’ve got on there. Problem is that, I’ll use RPKI as an example, you’ve got a great little informatic about RPKI that is geared towards the person who’s dealing with logging into ARIN Online and taking care of things.

In a lot of cases RPKI becomes a “have to kick up the can to Legal, to the C-levels, et cetera for whatever reason may be. The dot, dot, dot that’s missing from the materials that you have when it comes to RPKI is executive overview, legal brief, basic stuff.

I’m not talking, this is our complicated legal brief, here’s the basic premise behind it from a technical point of view, things like that.

Those are the things that make the person who is coming to the ARIN website able to get it into their organization in a much faster, more efficient way.

You don’t have 10,000 people having to write overviews for their boss’s boss’s boss. They have a “here’s a consistent message from the trusted person related to it,” not “here’s my opinion as an employee that sort of thinks they understand RPKI.”

So if you can continue down that path of looking at who the audiences are that may be able to benefit – and I’m just using RPKI as a poster child today. If you could do that, that would be awesome because I think you already have all of this stuff. You just need to brand it and put it on the website and say, hey, here’s an executive overview that you can use or a legal brief that you could use to sort of explain it to the different audiences.

Hollis Kara: Okay, so I actually have a challenge for you. I have two handouts at the info center right now. One is an RPKI 101 and the other one is document called Why RPKI, which was actually written for kind of making the business case.

I would love to get your feedback specifically, not right now, but offline, on what you think is missing from that document. And we can work with Brad and internally to get that to where you think it’s got the information that you would need.

But that was definitely something that we built with that target in mind last year.

And if we’re missing the mark, it really is helpful to us if we can get that feedback because we’re not sitting in the room when you guys are having those conversations with your leadership to figure out what’s going to get that across the bow.

Kevin Blumberg: I did take a look at that and I’ll take it offline because it doesn’t unfortunately match what you need to do for that audience. It’s great for the audience that’s looking at the website, but not the audience that it’s going to.

Hollis Kara: Okay, well, let’s talk about it. Thank you. I appreciate the input.

Atefeh Mohseni: Atefeh Mohseni, ARIN Fellow. Is there any procedure to host content on ARIN Academy, or are you considering independent individuals to provide content?

Hollis Kara: As of right now, we don’t have any formal plans around that. If there’s something specific that you’re thinking of or have in mind, I’d love to talk about it.

Again, feel free to email training@ARIN.net if there’s – there are particular requirements for what technically it has to be for us to host it. But I wouldn’t rule it out without having a little bit deeper discussion about it.

Thank you.

Leif Sawyer: Leif Sawyer, GCI, ARIN AC and prior ICANN Fellow. One of the things about the ICANN Fellowship is going through the e-learning process.

And there’s about 30 to 36 hours of e-learning to go to the ICANN meeting. And it’s hugely, immensely helpful to go through that e-learning.

So I’m really looking forward to seeing what the e-learning process brings for the ARIN Fellows, eventually. Obviously it’s not going to happen day one, right? But I think that’s going to be a great place for the new Fellows coming along.

Hollis Kara: I like that idea. Definitely I’ll be working with Amanda and figuring out what we can do in that space in coming years.

Taron Mattocks: Taron Mattocks, Meredith College. We’re just starting out in our IPv6 journey, and this seems like it’s coming right on time. So just it’s not a question, it’s more of a comment that this is coming at a perfect time. And we hope that we can be partners in this and we can let you know because we are literally just starting the journey right now.

Hollis Kara: Wonderful, well reach out to us. We’re happy to help in any way we can.

Beverly Hicks: Can I add to that, that if you would be interested in piloting when we get to our IPv6, e-mailing the training, it would be the perfect time.

Hollis Kara: Yes, we’re always looking for guinea pigs who are willing to test drive training before we launch it publicly to make sure that we didn’t miss anything and that the information that you need is there. So happy to take volunteers.

Alright. Now, I really think we’re done.

With that, we have a little bit more time before we’re ready to go to break, so I’d like to invite up General Counsel Michael Abejuela to give an update on legal items at ARIN.

General Counsel Update

Michael Abejuela: Wonderful. Good morning. Good morning!

From the floor: Good morning!

Michael Abejuela: Alright. So looks like we’re in the home stretch, and they left the most exciting staff update presentation for the end, which is the Legal Update.

I will say that I am very happy to see all of you here and in the virtual rooms because I did have to miss my first ARIN meeting since joining ARIN back in 2010 the last time.

It was my parents’ 50th wedding anniversary actually on the date of the ARIN meeting. And in the hopes of not getting disowned, I actually had to sadly miss seeing all of you.

But we’re all here. This is actually going to be my 29th ARIN meeting, so just one quick thing – I know I’ve met some people who are here for their first meeting – could anyone stand who beats me and has 30 or more ARIN meetings they’ve attended?

(Applause.)

Very cool. Very cool. As I said, I’m very happy to see all of you here. I’m going to ask for a few moments where we’re just going to go over a little bit of what the work that’s under the General Counsel’s office. Let’s get into it here.

Okay. Where’s the button? Alright.

So under the Office of General Counsel, we have both the Legal Department as well as the Government Affairs Department.

When you look at the Legal Department, we actually, people will say, we have one client, which is really the ARIN company. But we actually have many clients. We support the internal side of us, which is all the different departments. We engage with them with internal clients; event contracts, such as what we had to do to get this put together today; HR issues; just anything that pops up, we’re there to support.

We also support our Board, the ARIN Board; the ARIN AC; the NRO NC; and the various volunteer bodies that we have.

For example, with the ARIN AC, we’re very integral in the Policy Development Process with the Staff and Legal reviews.

We also support all of you, the community. So when there are legal issues that pop up, part of this is the ongoing ICP-2 review. The legal department takes a big role in trying to help support that effort.

Our department has the General Counsel; a Deputy General Counsel, Jennifer Lee, who is sitting in the back; we have a staff attorney, which we are currently recruiting for. So if any of you know anyone that might want to come work with us that has a legal background and is in the local DC area, please send them our way. We’d love to talk to them and see if we can have them join our team.

And then outside counsel, we also have where we engage with the various law firms in case there’s any kind of expertise that we need.

On top of that, I oversee the Government Affairs Department. And you had the privilege of actually hearing quite a bit. So Einar gave a great presentation a couple days ago.

You heard from our various members yesterday with kind of the government engagement efforts. And I’m not going to try to repeat what they all did and what they all said.

But I do want to recognize, first of all, that we have the various members. We have: Einar Bohlin, the Vice President of Government Affairs; Leslie Nobile, the Senior Director of Trust and Public Safety; Nate Davis, the Senior Government Affairs Analyst; and, of course, Bevil Wooding, who’s our Director of Caribbean Affairs.

I do want to recognize all the hard work they do because this is an area that’s not necessarily readily visible to the ARIN community, but it is very important, the work that they do, because one, they’re engaging with the governments in our region, as well as monitoring kind of developments on a global scale, things with the ITU and with the UN, and really looking with an eye towards protecting the interests of the ARIN community, for all of you and the multistakeholder model, and kind of overall Internet governance.

I do want to recognize that because also on top of the fact that they’re doing all that hard work, it involves a lot of travel, which obviously those of you here in person, you understand the challenges of travel. And while it can seem like it’s kind of cool thing to do, it often involves many long hours.

And even when they’re not traveling, they are on different time zones for their phone calls. I know I talk to Einar and his team quite a bit and I’ll say, so, how is your day? It’s 9:00 AM. And he’ll say, I’ve been on a call since 4:00 a.m.

So they spend a lot of time in off hours putting in that hard work. So I do want to recognize them there.

Alright. So kind of the little bit of the more interesting pieces of current developments with AFRINIC.

As many of you probably know, AFRINIC is undergoing some governance challenges. And we remain very supportive of them. We are very optimistic and hope that they can overcome those governance challenges in the coming months.

We recognize the hard work. Since they do not have a quorate board, they have not had a CEO now for a couple of years.

We recognize the staff over at AFRINIC. They’ve put on some wonderful efforts to keep the registry there running. So I think they are very due for recognition of all the hard work and dedication that they have there.

(Applause.)

Couple of things. And I will call out a little bit with our Comms team. They’re very good at preparing all this. I will publicly apologize to them. I had to give them slides very late because I wanted to give the most up-to-date stuff that was happening, and there’s things that happened just in the past two weeks, including just a couple days ago since we were here.

AFRINIC, they are currently, again, like I said, they don’t have a quorate board. So one of the things that’s coming up is that they’ve been under a Receiver. They had a new Receiver appointed in February of this year, Mr. Gowtamsingh Dabee. And he is in charge of, kind of, overseeing AFRINIC’s affairs, but also really tasked with putting forth an election that they can put before a board who can then hire a CEO because they’re both without those.

There was a communique that came out just 10 days ago, about 10 days ago, April 21st, and they have scheduled or we are pleased to see that they’re scheduling an election for June 23rd, so just about six weeks or so from now.

This communique that went out did a few things. They appointed a Nomination Committee. What’s interesting is they have a chair who is a King’s Counsel over in England. And then he’s assisted by three other barristers in England and Wales.

That might be a little bit interesting because they’re all from the UK and this is in Mauritius. But there are some details. Happy to talk with anybody about this, by the way, in the back, one-on-one. But there are some interesting details about that, about how the AFRINIC election has to go on.

They also appointed an election committee. And that’s going to be led by a member of the AFRINIC staff, so the head of their value-added services, another AFRINIC staff member. And then there is a member of the online voting platform and the election vendor that they chose as well as an accountant in the Receiver’s office.

They also named Civica Election Services, which apparently is a UK company that specializes in running elections. And they’ll be handling both the online voting platform as well as any paper ballots that will be in the election.

There was a second communique that came out, like I said, just a couple days ago. This one was from the election committee. This was something from the head of value-added services over at AFRINIC. And they gave a little bit more detail on how the election will be run.

So one thing is that this will be a hybrid election format. Some of us have seen, throughout the years, you know, there have been RIRs that have done paper ballots, you’ve seen RIRs that have gone fully electronic. We do everything electronic.

This will be a hybrid format, which is going to allow for both physical voting at a polling place in Mauritius on election day. Details of that haven’t gone up yet, but someone can come in and vote with a piece of paper as well as they’re going to have online voting.

In the communique, there was various details about voter eligibility. I think this is limiting the voting to resource members only. There’s some thoughts about when you look at the bylaws about their Registered Members, Resource Members and I think Associate Members.

But there will be Resource Members in good standing who will participate in this election. And then you also have various requirements about designating the representatives, both from an electronic voting standpoint as well as who will represent the organizations from a physical voting piece.

They did say that they’re voting in one of three ways. You have the online, as I mentioned. But they will have to designate their representative early. I believe it’s earlier in the month in June that they actually have to reach out and actually identify who will be voting for them electronically.

They could come in with an authorized representative who will actually be in Mauritius, either if they’re already there, or fly to Mauritius and hand in the paper. Or there will be proxy voting as well.

I wanted to give that update because we’ve been monitoring this for the past couple of years. We’ve been providing as much support as we can. From the legal side, we’re obviously taking a look at how this all plays out.

But we are remaining very hopeful that the AFRINIC community will have the opportunity to voice or cast their votes and have their voice heard so they can actually have a Board, that they can move forward and they can appoint a president and CEO and then be fully quorate and operational as well.

I think that is it. I want to be respectful of everybody’s time. I know we’re trying to get through a lot of stuff.

If there are any questions, happy to – we could take some right now – but also I’ll be around. If you want to find me in the back, I’m happy to chat with you.

Hollis Kara: Alright. Do we have any questions for Michael? Alright. I guess folks will catch you on the break. No, sorry, I didn’t mean to rush you.

Marcus Jackson: Marcus Jackson from AWS. Curious how did there end up with so much – without getting into all the details about how the election happens – why is there so much British influence in reestablishing AFRINIC?

Michael Abejuela: So I won’t get into too much because I’m also not an expert on Mauritius law and Mauritius governments, but one of the things that was very evident is that when you have legal disputes in Mauritius, you have regular courts, just like in any of our jurisdictions. You have courts of appeal and everything else.

But they also, the ultimate kind of, if you go through the legal process in Mauritius and then there’s still kind of, like, an appeal, it’s ultimately to the Privy Council that’s actually in the UK. That’s kind of a pull-over, I think, from the former ties that Mauritius had with the UK.

It is interesting because when we saw that all come out, I will say one thing – and I caveat this that I’m not fully an expert on the Mauritius end as well as the AFRINIC kind of bylaws and everything. I’m not providing legal advice as a lawyer, I’ll give kind of the disclaimer.

But I will say that from my understanding, just say with the Nominating Committee, AFRINIC is an interesting structure there where they actually have regions in different areas within the subregions where their seats are allocated to.

So for us, we don’t have that. We don’t say, so many people have to be from the West Coast or from the East Coast or from Canada or the Caribbean. It’s just kind of open for the region.

In the AFRINIC region, from what I understand, is that they have various subregions that they have to have seats that are occupied and filled. And what’s interesting is I think they’re not supposed to have any member of the Nominating Committee in a region with a seat that’s up that year.

But what’s interesting is when you have an election for the entire Board, what region is not able to have somebody there? So I think that’s where they had to kind of make it work.

I think what they’re also trying to do is they’ve appointed barristers who have that legal mindset, so hopefully they’re making sure the bylaws are followed, making sure there’s accountability in the process and everything else. But it is an interesting piece to come up.

Hollis Kara: Looks like we have one comment or question from online.

Beverly Hicks: Kate Gerry, NetActuate: “Regarding the chatbots spoken about earlier, are there any legal concerns about an AI chatbot creating a new ARIN policy? This is in relation to the Air Canada chatbot misinformation that Air Canada was held responsible for.”

Michael Abejuela: I will say I’m not familiar with the Air Canada chatbot thing. Although that sounds very interesting. So with regard to – I guess this is talking about making policy. And with chatbots, I guess, it’s – to answer your question, if there’s a legal concern, I’m going to give a legal answer. It depends.

(Laughter.)

So it depends on how anything is deployed. It depends on what we’re using. A lot of these things will come down to the way that we use something, the way that there will be terms that are being used. There are obviously things, like privacy or accuracy or anything like that, and even fraud and whatnot.

So not knowing the full details of how we would do that, I would say that it depends. But we definitely are happy to look at things that can be for kind of advancement and new ways to do things. But we always will have the legal people kind of be the stick in the mud and maybe say, I don’t know if we should do it that way or anything.

But I see my boss is standing up and looks like he might have some comments, as well as I know we have another comment that will come up.

John Curran: So if you have an AI system that speaks with your customers and your AI system answers a question and offers a transaction, like, yes, we can give you a /8 of IPv4 address if you fill out this template, it’s possible that that’s a binding commitment depending on how it was phrased.

The application is complete, send us the fee and you’ll get your /8. Well, thank you, AI. We may not have one to give out. So use of an AI, we have to be very careful to make sure it doesn’t extend offers because it can extend an offer on behalf of the company that we could be held liable for.

So this is why I’d like a suggestion about what you want that AI to do. Do you want that AI to help you figure out what form to fill in? Do you want that AI to help you understand the status of your resources?

When someone says they want an AI to help them interact with ARIN, depending on what department and what they want to do what with Registration Services, poses a different problem. And I think if we take a suggestion for that and bring it to the community, we can talk about it.

It is unlikely we would ever let an AI interact with you and do final Registration Services decision on number resources. So your interaction with it would probably be limited to preparatory and not decisional activities, if that makes any sense at all.

Michael Abejuela: I’ll say one thing really quick, the chatbot AI piece, just the other day I had a phone call, and it looked like my phone was screening it. And it looked like it was somebody who is from the treasurer’s office at my county who was reminding me that I had taxes I had to pay in the coming weeks.

But I used the Google Pixel’s feature to answer it. And it was really funny to see the transcript happening, that two things that weren’t alive actually talking to each other.

And then it’s interesting you bring that up because I said, did I somehow guarantee that I got notice about my taxes and I need to pay? But I don’t know, we’ll see.

Kevin? We’ll see if I’m here at the next meeting. You’ll find out.

(Laughter.)

Kevin Blumberg: Kevin Blumberg, The Wire. You may be only at the meeting because this is where you’re living now.

(Laughter.)

AI is a generic term. It’s a smorgasbord and buffet of different ideas and concepts and all of those things.

In fact, it’s a buffet. It’s a one kind of restaurant fast food, it’s fine dining – it’s everything or anything you want it to be. And it’s also the world’s worst buzzword when it comes to pretty much anything.

The point of it is, how can ARIN utilize it in a way that is acceptable and beneficial to itself and its members? For me, it’s about finding things on the ARIN website because search, the traditional heuristic search just doesn’t cut it anymore. So using something a little bit better would be great. The chatbot, again, for the purposes of finding information might be fine.

As to what John said, I agree 100 percent, anything that requires human intervention should absolutely continue. I’m not comfortable and I won’t be comfortable for a number of years because of the hallucinations – a term that’s used, the hallucinations – that AI has.

But that doesn’t mean we shy away from it. It doesn’t mean that we don’t do it. And I think you, unfortunately, are going to be front and center because you’re going to have to balance the benefits from a legal perspective with the benefits to all of us.

But the time savings for everybody here and, more importantly, the not having to rely on somebody who has been around for many years to actually be able to tell you what’s going on is invaluable to this community.

So, yes, you need to do something. Whatever that may be. We understand there are risks. You’re the best person to help mitigate some of those risks, or just say, we can do this but we can’t do that.

Michael Abejuela: And from the legal perspective, just to say about the AI component, you’re right that people use it. It’s the buzzword of the day. One day “cloud” was the buzzword of the day, and people really didn’t know what that meant or they made it mean everything.

AI is kind of the same thing. So from a legal perspective, I think at least from my side – and this may not necessarily be all of ARIN’s perspective – but to me it’s a tool. It’s a tool that can be used.

To John’s point, from the community, if you want us to look at some of this and you think it would be good kind of – some efficiencies could be realized, whether it’s searching, whether it’s the interaction, that we can look at it.

And once we have the scope, then the Legal team can look at it and see, well, what are the risks, what are the rewards? How can we do things that will make it more efficient?

But it’s just like any other tool. I mean, there are tools that make things more feasible, that help people do things that they otherwise couldn’t have and make it faster. But the one big thing is that but you have to be careful with it.

So there are so many concerns. We work with Christian, our CISO, in terms of using any kind of AI tools. I work with Jennifer to think about what the legal risks are. But the big thing is really going to be what we’re going to use it for, to make sure that we are very scoped in and then that we can find a way to be able to utilize it.

I’m a big proponent of trying to find advancements and new ways of doing things.

I knew there are ways of interacting with the community, there are new ways of trying to have discussions, online discussions. If AI can be part of that, I’m very supportive of it. But we just have to be careful and make sure.

I don’t think we’re at the point yet where we’ll just say, alright, we have it and it can do the work of people. I think what it can do is actually help people do the work that they’re doing and be more efficient in us being able to service the community a little bit better.

Hollis Kara: Awesome. Alright. Anyone else? I think we’re good.

Michael Abejuela: Thank you so much. (Applause.)

Hollis Kara: Alright. We are close to the end of the agenda. So we’re going to keep pressing on before breaking. I’d like to invite Rob Seastrom up to talk about the work of the Risk & Cybersecurity Committee.

Risk & Cybersecurity Committee Update

Robert Seastrom: Thank you, Hollis. I get to learn how to use this again because I haven’t in six months.

So I’m Rob Seastrom. I chair the Risk & Cybersecurity Committee of ARIN. In my day job I’m involved in cyber risk governance at Capital One, which is a big bank.

We’re going to go over a few things. Here I only have three pages worth of statistics, which makes me feel a little bit inadequate compared to some folks who have presented so far.

So let’s talk about Risk Register, which is one of the main things that we do being the Risk & Cybersecurity Committee.

We have far more risks facing ARIN than we can hold in our minds at one time. And the only way to properly contextualize them is to write them down and assign some scores to them.

In fact, why don’t we mitigate a risk, identify and mitigate a risk while we’re up here right now. There’s a risk that Rob Seastrom might get long-winded and run us over here.

And I think those of you who know me well will agree that on a scale of 1 to 5, the likelihood of that risk is a 4. Thanks, Leif. We could make it a 5 if we wanted to. But we usually save 5s for the really, really bad ones.

The impact, we might say the impact was a 1. But we’re right up against the break. So we’re going to say the impact of that is a 2.

Our likelihood times impact is the risk. And that’s a dimensionless unit, but it drives our prioritization. But let’s try to mitigate that risk.

Well, I created a slide deck that only has 11 slides on it, including the title slide and the thank you slide.

So that’s guardrails. That’s a control. It’s an imperfect control, but it reduces the risk. It probably brings the likelihood of me running over from a 4 down to a 2.

So our remediated risk – that’s a remediation plan. It’s not complex. But it’s sufficient in this case to cut the risk, the total risk of me running over in half.

So we’re going to talk about a couple other risks that are on the Risk Register, actual real-life risks – a little bit of a spoiler here. These are risks that are pretty apparent and obvious. One of them is more or less remediated although we continue to watch it. Another one is one of those kind of forever risks.

But we are not going to get deep into ones that might be sensitive in some sort of way because that’s not really the point of this discussion. We’re talking about metrics and the direction that things are headed.

Here’s the example risk. We might run out of money. And ARIN has a remediation plan for that. If you’ve been paying attention to the Fin Com’s reports over the last several years, you’ll discover that we have reduced that risk to a likelihood of 2 out of 5, lower impact level through engagement with the appropriate organizations to manage our reserve fund and control of our own expenses.

How about another example risk? Well, this is one that’s never going to go away. We’re always concerned about supply chain. We’re always concerned about ransomware.

We have a remediation plan. It reduces the risk to an acceptable level, but it doesn’t make the risk go away. We continue to track this forever. By the way, we continue to track our financials forever because none of these are one and done.

So let’s talk a little bit about how much stuff we’re tracking. In 2025, we’re tracking 28 top level risks. We’ve added four in the past year. And we characterize these risks between strategic, operational, financial and technical in two areas, on two axes.

You might think, gee, you’re the Risk & Cybersecurity Committee, why do you track so few that are actually technical risks?

And the answer is because we are not an executive Board, we’re a governance Board. And we’re concerned about the breadth of the organization’s sustainability and risk.

So we’ve mostly picked up new risks – let me check my notes here – in the – somebody look over this quickly. Strategic, yes, okay. So, again, anyone who has been paying attention to the ecosystem over the past year understands we’re picking up and tracking.

It isn’t that the risks are new; it’s that we’ve decided to add them to the things that we formally track.

And even as we do that, the probability of the risks that we track are trending lower. We have one more that’s falling. We’re more or less steady on the ones that are steady. We have little that’s rising. We’re actually reducing the ones that are rising.

So now we have a Risk Register. What do we do with it? We create it and curate it with the aid of our CISO and CEO.

We review the progress made on all of the remediation plans monthly. We use our Risk Register meeting minutes and the Risk Register itself to inform our annual memo to the Board of Trustees, which is in process. And we do a detailed annual walk-through of the Risk Register with the entire Board.

This is something that’s new, but I think that this is something that’s also important because broad awareness of the risks that are facing the organization are important for Board members to fulfill their fiduciary duty.

You’ll notice we were doing this with numbers that were very subjective and coming up with a dimensionless vector to give a risk number. That’s okay. It’s a nebulous concept. There are subtle moving parts to keep in mind.

If we don’t write stuff down, we could not possibly track 28 risks just keeping them in the back of our minds.

Taking an active and thoughtful approach to managing risk is important. It is a sign that we’re mature and maturing as an organization.

And I’ll be happy to take some questions.

Hollis Kara: Alright. You heard it here first, folks. Microphones are open, as is the queue online. Come on down.

Robert Seastrom: Left microphone.

Chris Woodfield: Chris Woodfield, ARIN AC. You showed examples illustrating the risk with remediations. Do you do a measurement of risk without remediations versus risk with and then compare how much –

Robert Seastrom: Yes, without is the inherent risk. So that’s without doing any remediation whatsoever. It’s probably at a level that is not acceptable, meaning that we can’t accept it.

It’s not a value judgment. It’s that it’s not congruent with our risk appetite and where we want to go as an organization.

And the remediation plans and controls that we put in place reduce it hopefully to an acceptable level. And if it’s not yet at a level that we can accept and run with for the organization, we iterate on that until such time as it is.

Chris Woodfield: So if I’m understanding you correctly, different remediations can generate different risk scores depending on what type of remediation you choose. So there’s an optimization of lowering the risk to an acceptable level versus the cost of implementing that remediation. Am I –

Robert Seastrom: Oh, bsolutely. And the remediations often have their own risks. I have, at work we have IPv4 runout and continuity inside the organization. And every single one of our remediations is, like, you choose this, I’m registering risks against it. You choose this one over here, I’m registering risks against it, too.

There is no silver bullet here.

Chris Woodfield: Okay, thank you.

Kevin Blumberg: Kevin Blumberg, The Wire.

I guess a simple way of remediating is unplugging from the Internet, then you don’t have to deal with anything, right?

Robert Seastrom: There is, in fact, risk in everything we do, even in stepping up to that microphone. You could have fallen and broken your leg. Low likelihood, high impact.

(Laughter.)

Kevin Blumberg: It could also be arranged. So you could help fix –

This is great because it’s proactive versus reactive, which many organizations are attuned to dealing with problems and risks. They let the risk hit them in the face and then they deal it reactively.

You, at the Board level, taking on this hierarchy proactively, looking at the risks, so that you’re ahead of the curve when something does happen is great.

I will assume – I know there’s a word in assume – but I will assume that the risk categories and the ideas that you have are consistent among many different kinds of organizations as in a not-for-profit, technical organization, those risk factors are fairly consistent. How you deal with them is different. How you mitigate them is different.

But a lot of the categories should be consistent in these categories. Is that –

Robert Seastrom: The two that I gave you were, aside from the one that your presenter runs late, which I believe is universal, are ones that are not unique to us. They’re very broad. Hey, our reserve fund might get depleted. Well, show me an organization that doesn’t have that risk and should have that risk registered. Hey, we might have supply chain or malware – either you know about it and you’re taking action against it or you’re willfully blind at this point.

There are things that are registered that are more sensitive, that are sector-specific, that we are therefore more cautious about talking about. So it’s not just a boilerplate thing – yes, you’re a nonprofit member organization in a technical sector; here’s your Risk Register, go for it.

There’s a lot of work that goes into deciding exactly what we’re going to register versus what doesn’t quite apply to that, versus what is actually an issue that gets slotted underneath a risk that’s registered, that sort of thing.

I haven’t – in the interests of not turning the plenary here into a general discussion on how risk governance works, I haven’t gone down into risk versus issues versus what’s a mitigating versus other kinds of remediations, what kind of controls we have. I don’t want everybody’s eyes to glaze over.

Kevin Blumberg: Actually this is a fascinating topic I think for everybody. At the next ARIN having a talk on that, I think, is very helpful because we have to understand when we do policy, it has an impact.

And this whole concept of risk sort of plays into your simple change over there has a much larger effect or impact. I think this is a brilliant conversation.

We have very similar slide decks, ARIN to ARIN. And this is actually a new one. I really like it. I’d love to see more.

Robert Seastrom: When we do Staff and Legal, a lot of time what they’re doing is raising risk.

Kevin Blumberg: Understood. Thank you.

Robert Seastrom: Thank you.

Hollis Kara: Awesome. Let’s come over to this side of the room.

Lily Botsyoe: Thank you so much. Lily, ARIN AC and University of Cincinnati. Just to first say that that was really clear for somebody who works in risk also. And for the head of a salesforce handling risk, I think this is really breaking things down and a good refresher for me.

Robert Seastrom: Is there a risk that you might run late when you are doing a presentation, too?

Lily Botsyoe: Yeah.

Robert Seastrom: This is universal.

Lily Botsyoe: It is. Two things, one thing, actually. Where can we see where this is housed? Like, you’ve given us what you’re working on, remediation, what you work through over the month. Is it housed somewhere in the ARIN platform, that we can go over and see?

And who is the Internet audience? Are we looking at risk internally just for ARIN, or would this be also beneficial for third-parties NS other customers? Those are the two things I want to understand. Thank you.

Hollis Kara: And RS, I see JC has stood up.

Robert Seastrom: JC is standing up. I’m going to defer to our CEO for talking about this.

John Curran: As it turns out, the Risk Register, as people know, has risks that are generic to all organizations, risk that someone breaks into your systems or risks that you have financial fraud because you’ve had a wayward employee who’s absconding with money. Those are generic risks.

And then we have some ARIN and Internet number registry risks, like risks of an RIR failing. It might not be us, but if an RIR fails it impacts all of us. So there’s some specific ones.

Now, some of these risks we talk about easily. But some of these risks are risks that the Board of Trustees is aware of, that we may not have mitigation plans developed and sufficiently deployed.

In fact, a Risk Register is a great roadmap for how to take down an organization.

The most sensitive document that the Board of Trustees looks at is the ARIN Risk Register. And as such, we actually won’t be publishing it to a place for everyone to look at.

But if you run for the Board of Trustees you’ll get to sit down and review it with me and gnash your teeth and worry about will ARIN live for another 12 months.

Now, the good news is we’ve done a very good job. And the Board of Trustees has leaned very heavily to make sure that the prioritization of the risks, the probability of them occurring, product with the impact if they occur, gives an overall factor we look at.

The top risks all have good mitigation plans. They’re all underway. But there’s always new ones popping up. We talked about AI the other day.

ARIN has requests that come in and we presume people write them. But as Michael said, nowadays AIs are talking to AIs. We could have someone submitting a request written by an AI. We have someone submitting credentials generated by an AI.

That’s a risk. That’s a new one, ARIN-specific, and it’s on the Risk Register. I mention it because it’s so obvious that if you folks haven’t thought about it, me mentioning it, probably isn’t in danger.

But developing the mitigation plan and getting it in place and the timeline for that and what we’re doing in the interim, none of that I can really talk about.

Just the thing I needed to relay is that I’m very proud of the Board and the risk committee for working on these things. But this is, by definition, a sensitive topic.

Robert Seastrom: I would only add that if you have ideas for metrics and KPIs and things that you would like us to be reporting on without reporting the details, please reach out to me because I feel inadequate showing up here with only three pages of statistics.

Lily Botsyoe: I mean, that is in essence what I was looking for. Certainly not the Risk Register because that would literally tell every other person who could penetrate whatever vulnerability that exists that here it is, go this way.

In essence, what Kevin also described, even for next year or, sorry, in the next ARIN meeting, can we do, say, a presentation, like the talk somebody had on Internet integrity? Use some of what was shown, high level, describe what it looks like, teach in that way.

And metrics and KPIs, I think, is also another way to share with us some of those things. In essence, not a register in the public domain but some of the things you’ve seen to educate. Thank you.

Robert Seastrom: This is early days for reporting for the Risk & Cybersecurity Committee.

This is only the second time I’ve stood up here delivering a report like this. So any ideas on how to evolve the report, give more information about our trends and how we’re doing to the community, I’m very open to that. Thank you.

Hollis Kara: Awesome. Want to come back across over here.

Atefeh Mohseni: Atefeh Mohseni, ARIN Fellow. I’m curious, the time horizon, do you assume to put a risk on there rising versus the steady category?

Robert Seastrom: Time horizon. I think that trying to do a generic rule would probably be getting too specific and would actually add blind spots rather than reducing them.

The numbers in this are subjective enough already. The trying to say, well, you know, I can’t call this rising because it’s an 18-month problem instead of a 12-month problem, probably would be value subtracted. I see John standing up here.

John Curran: If you think about – there are risks that are so long term that there’s no reason for us to do a mitigation plan.

So, for example, the heat death of the universe will occur at some point. That will happen and I don’t need a mitigation plan. So there’s long-term events. The window we’re looking at is, from a budget and planning and execution, there are steps we can put in place to help improve ARIN’s risk profile over a medium strategic window. So think three to five years.

If you think about it, when we sit down and figure out what we do, it’s not classic Strength Weakness Opportunity Threat, but we do spend a lot of time thinking about opportunities; how can we improve the service to you. And we’ve spent a bit of time worrying about how we eliminate threats to the organization.

So the Risk Register feeds our strategic direction, where we need to strengthen or change things, and the strategic direction is what sets the operating plan and budget each year.

So I guess implicitly there’s a three-to-five year – if the risk is beyond three to five years out we’re not looking at it. If the risk is in year, it’s not that we don’t look at it, but we’ve already got a mitigation plan and we’ve already got a budget.

The ones that are most significant on it are the ones that are more than 12 months and less than five years, if I count back into it.

Robert Seastrom: And, as always, there’s exceptions to that. We were doing mitigations for IPv4 runout the better part of a decade before we actually got that last /8.

Hollis Kara: Awesome. We’ve got one last question or comment.

Caleb Ogundele: Hi, my name is Caleb, and my question is basically because of the fact that you did mention something around the finance, the risk around finance is how it connects with the cybersecurity issues.

So I know I’m supposed to probably direct maybe the question to Nancy, but my question basically that is making me curious is, given the way the climate is right now, specifically in the North American space, there are a lot of trade wars and all of that, finance plays an important role in cybersecurity and supporting the effort and all the things that’s gone on there.

Now the question is, are you thinking, as part of your risk on the financial part of diversifying portfolios, investment portfolios that can help bring maybe good use to your reserve funds if maybe you guys have investment portfolios around that? And it will help maybe mitigate future risk when funds are needed for certain things that revolves around your Risk Register. I don’t know if you get my question.

Robert Seastrom: I think I understand the question. I think the question boils down in a few words, let me state it in my own words, how isolated from market volatility and other risks is our strategic reserve fund?

Caleb Ogundele: Absolutely.

Robert Seastrom: Okay, I will invite Nancy up to talk about it if she wants, but I can tell you I’m pretty impressed with how well – it’s certainly designed for that.

Brian, even better. Our CFO.

Brian Kirk: Brian Kirk, CFO. Currently we work with investment advisors, and they look at the portfolio each year. And we work with the Fin Com members and the whole Board to really analyze our risk/reward portfolio, our view towards that. We really take a pretty conservative view.

Even with all the uncertainty we’re seeing right now, we haven’t really been hit very hard over the last few weeks. So our conservative portfolio was protecting our investments.

Caleb Ogundele: Okay, so follow-up question. Just thinking of the diversity of that portfolio, are you thinking outside the North American space maybe to help stabilize, maybe in the future, we don’t know what the volatility of things will be in the future?

Brian Kirk: We do have some international investments in the portfolio, yes.

Caleb Ogundele: Excellent. Thank you. I see John.

John Curran: Let me recognize that our reserve is very conservatively invested. In fact, I’d like to take a moment, if you all see Nancy, thank her when you see her because she led a review of our reserve investment strategy – because that’s what really drives it; your strategy sets what you end up investing in.

We looked and our very conservative investment strategy, actually wasn’t as conservative as it probably should have been given the nature of the reserves and what they were planned for. We actually revisited that a few years back. It resulted in a more conservative footprint that has many different diversity elements and hedging elements to handle downturn.

So our investment reserves, we’ve had a period of volatility in the markets. I think people know over the last five months the markets have gone up and down. We are actually sitting, if I’m correct, as of now we’re where we were at year-end, if I’m correct. Substantially, we’re sitting stable, and that’s because of the diversity of our portfolio.

Caleb Ogundele: Okay, thank you. Since John wanted me to thank Nancy, thank you, Nancy.

Brian Kirk: And we are actually a little bit above where we were at the end of 2024.

John Curran: Even better.

Hollis Kara: And we have another question.

Roman Tatarnikov: Roman Tatarnikov, IntLos Consulting Company. One of the proposals, how to add more slides and more data, maybe the risk-ratio part of it can become public.

Not the current Risk Register, but saying, like, hey, here are the risks that were mitigated and essentially, almost eliminated. They can be listed. Because on one side it shows the progress and on the other side, some companies, when they do RFPs to their different vendors, they require that the vendor disclose, like, what the risks are, how it was built and so on and so forth. Then it helps them to lower cyber insurance and so on, all that legalese and GRC stuff.

Maybe disclosing, putting it like this also gives an opportunity to show to some vendors, hey, we’re ARIN. We’re lowering the risk. And in order for your cyber insurance to go down, if you want to see our risks lower, feel free to participate, contribute the funds to us so our cybersecurity committee can increase the scope. And that’s it.

Robert Seastrom: I have two answers to that. One is that the reduction of risks that we believe that we have got covered are every bit as sensitive as the ones that we still have open and listed high, because showing what we have done to move it into that box, well, the threat landscape is always evolving.

And I don’t want to publish that roadmap of, hey, we think we got this closed out two years ago, and, oh, wait, what did you just read on this mailing list the other day? Yeah, this is – the door is open again.

So that’s difficult. It’s not impossible to be more specific on things that have moved lower.

What was the other thing you asked? Oh, about cyber insurance. So we’ve been through the cyber insurance RFP process. They, too, are metrics-driven. And there’s not a lot of fine-grained review of what you are and aren’t doing. They’re interested in, do you meet this bar? And Christian talked yesterday or the day before, I forget which, about what certifications we get.

The insurance companies love certifications, not because they necessarily make you more secure, but because they say that you pass a certain bar. In other words, you have enough good manners to sit with the grownups at Christmas dinner.

That’s reason, by the way, that people who are doing business with ARIN and have to explain that to their cyber insurance people, too – it’s, like, we have this SOC 3 standard printout, and they go, okay, good enough for me, and you don’t need to fill out the long form anymore.

Reading the fine details of what we’re doing to reduce risk, that’s good for actually reducing risk. It’s not good for reducing costs, because the cost of doing it would be so at scale – if you’re a cyber insurance company, you have 20,000 potential customers. It’s inherently nonscalable. So they like things in these nice little boxes for analysis.

Roman Tatarnikov: Alright. Thank you, Rob.

Rob Seastrom: Thank you.

Hollis Kara: Go for it.

Kevin Blumberg: Kevin Blumberg, The Wire. Complacency, this helps with complacency. Many people in this room didn’t think that the supply chain would get as badly affected as it did three, four years ago. The reality is it’s always a risk. But complacency, it’s always working fine, so therefore the risk is low.

Don’t have a mitigation plan for it. Don’t really look at it. That sort of thing plays into it.

But it also then comes down to lessons learned. We learned a very valuable lesson during the supply chain that was custom parts, that were flavor of the day, were great, were really good when there wasn’t a supply-chain issue. And suddenly having custom versus just off-the-shelf when it came to a supply chain issue became a much better way of doing things long term.

We learned a hard lesson. Our organization learned a hard lesson that way.

Robert Seastrom: Sure. And we worry not only about the supply chain of physical objects, but the supply chain of things like, this library calls and needs other dependencies. Some of which sure look legit when you read the README on them on GitHub. And then you read the source code and you go, well, why is it phoning home to over here? I don’t want that pulled in.

And it’s a constant problem, and it keeps popping up, like every two or three months there’s been another shenanigan in the trade press.

Kevin Blumberg: I guess where I was going with this at the end was, I sort of alluded to it before, are there lessons learned from other organizations so that you don’t have to learn the lesson yourself before identifying it as a risk? That was really my question. Is this something that you’re looking at the outside expertise to help you identify the risks?

John Curran: Cybersecurity or more generally?

Kevin Blumberg: More generally.

John Curran: We’ve thought about that. We, currently, this year, are bringing in someone to help with strategic planning. And our risk-management framework is the next set of expertise they want to draw on. But the strategic-planning expertise is what we’re drawing on this year. I have to phase my expertise tapping to match budgets.

Kevin Blumberg: Thank you.

Robert Seastrom: Seeing no more at the microphones, is there anyone remote?

Hollis Kara: There is not. I think we’re good. Thank you, R.S.

Robert Seastrom: Thank you, Hollis. (Applause.)

Hollis Kara: I love to see a lively conversation and was really happy that we all were able to get together and drive the risk that R.S. tried to drive down at the beginning of his presentation right back up. Thank you, everyone, for participating.

To wrap up the day I’d like to invite, they’re already here, Bill and John up on the stage, to run the Open Microphone.

Open Microphone

Bill Sandiford: Alright. Open Microphone, the last session of the meeting. Microphones are now open online and here in the room. Please approach if you have something you want to add.

Seeing none in the room, none online, we’ll give it another 30 seconds or so. While we do that, I’ll make one.

I’ve been coming to the ARIN meetings now for, what, 16, 17 years, something like that. And the one group that I think – we do a great job of obviously thanking Hollis and the entire team, the ARIN teams for running these meetings – but there’s a team over here at the table behind the scenes, Ken and the other guys from Clarity and whatnot, that have been here with us all the way along.

Ken and the audio team sort of has been our go-to guys to make us sound good. Nobody can make us look good, John, but they can at least make us sound good. And I’d like to give a round of applause for the people behind the scenes.

(Applause.)

Alright. With that said, any Open Mic issues online? None online? Nobody in the room? Come on, somebody’s got to say something or do you just want the break? Come on?

Alright, seeing and hearing none, no open mic today, John. I guess we’ve done a good job.

John Curran: Thank you very much.

Bill Sandiford: Thank you, everyone. (Applause.)

Closing Announcements and Adjournment

Hollis Kara: Don’t run away yet. Just a few last things. Thank you, everyone, for being here and pressing through this morning. It’s been a busy couple of days. Last bits of audience participation.

If I can get another round of applause thanking our Network Sponsor, Spectrum. (Applause.)

Our Webcast Sponsor, Google. (Applause.)

Our Platinum Sponsor, AWS. (Applause.)

And our Silver Sponsor, IPXO. (Applause.)

Alright. We really do want to hear back from you, how we did, what worked well, what didn’t, what we can add for next time. So, please, you’ll be receiving a link to complete the meeting survey.

Complete that and you’ll have an opportunity to win a set of Bose QuietComfort Ultra headphones. That’s a pretty nice prize. But your feedback does actually directly impact what you see happen at the next meeting.

Do save the date. We hope to see you in Arlington, Texas. I know Gus Reese, on our AC, is busy working up all kinds of great ideas for what we can do to have fun while we’re there.

We’re looking forward to a great meeting back-to-back with NANOG. We’ll be on the 30th and 31st of October. Keep an eye out for registration opening.

With that, we have done it guys. This is ARIN 55 over and out. Thank you so much for your time and attention.

(Applause.)

(Meeting concluded at 11:03 a.m.)

Related