Meeting of the ARIN Board of Trustees - 3 June 2024

Teleconference

 

Attendees

  • Bill Sandiford, Chair
  • Tina Morris, Vice Chair
  • Nancy Carter, Treasurer
  • John Curran, President & CEO
  • Dan Alexander, Board Trustee
  • Peter Harrison, Board Trustee
  • Hank Kilmer, Board Trustee
  • Robert Seastrom, Board Trustee
  • Chris Tacit, Board Trustee

ARIN Staff

  • Michael Abejuela, General Counsel, Secretary
  • Erin Alligood, CHRO
  • Alyssa Arceneaux, Exec. Coordinator, Scribe
  • Einar Bohlin, VP, Government Affairs
  • Christian Johnson, CISO
  • Richard Jimmerson, COO
  • Brian Kirk, CFO
  • Therese Simcox, Sr. Executive Assistant (virtual)
  • John Sweeting, CCO

1. Welcome, Agenda, and Conflict of Interest Disclosure Review.

The Chair called the meeting to order at 12:33 pm ET. He reviewed the agenda and asked for any changes to conflict of interest. Tacit noted that he would be recusing himself from the election conversation and the Chair acknowledged.

2. Approval of Minutes

Exhibit A

It was moved by John Curran, and seconded by Hank Kilmer, that:

“The ARIN Board of Trustees approves the minutes of 14 April 2024.”

The motion passed unanimously.

3. Q1 2024 Reports. (Exhibits B, C, D, E).

As previously emailed to the Board in May 2024. The President explained that these reports were not ready by the April meeting and therefore emailed to the Board in May.

Alexander stated he had a question on the Activity Report about the number of transfer requests, more coming in than going out this quarter, and why this would be happening. The CCO noted that there is nothing significant right now. However, there were a few large players that were moving IPv4 blocks from RIPE to ARIN but overall, this has slowed down.

Carter stated that she had a question regarding the Tech Debt Report; which of the items listed on the report are the most concerning to the CISO. The CISO said that he tends to look at the overall vulnerability/patch management issue and this would be his most important item. He stated that a lot of time and effort, with the organization’s investment, has improved this greatly. The other items listed in the report are more platform specific but would overall feed into general vulnerability issues. The President noted that the line item, Hive Upgrades, is where he feels ARIN is most exposed, and is what is foremost in his mind. The COO noted that ARIN is aware that the Hive upgrades have been red a long time but there was one issue, SWIP templates retirement, which was causing the delay but has recently been remedied by us reaching the community agreed to date for their retirement. He also noted that the rest of the Hive issues are in the lineup to be remedied over the next quarter as part of our development planning now that the SWIP template service is retired.

Harrison stated he had a question regarding the Risk Register regarding IPv4 and IPv6. He stated that there were no repercussions on an IPv6 only site. Additionally, he wanted to know what is ARIN doing about Artificial Intelligence risk and could be discussed in the risk strategy discussion in August? The President said ARIN needs to be able to manage IPv6 and IPv4 as there is a long history of IPv4; and this will be covered further in the August board discussion. The President asked for clarity on Artificial Intelligence mitigation and whether he was concerned about Artificial Intelligence being used against ARIN or on their behalf; and Mr. Harrison noted that he was concerned about it all. The President noted that he would take this second issue, with Artificial Intelligence, back to the Risk and Cybersecurity Committee and to discuss in August.

Seastrom noted that one item coming out of the Risk and Cybersecurity Committee would be to update the Charter to periodically review for all additional, or highly unlikely, concerns to be added to the Risk Register.

Tacit had a question on the Tech Debt Report about the items showing yellow in 2024, what are the approximate time frames in which they would move to green? The President noted these items would remain yellow until the budget for clearing these items are discussed with the Board.

Kilmer pointed out that it doesn’t matter the amount of traffic when talking about IPv4 and IPv6, it is the use and management of the resource. He also noted that none of the predictions have been correct, nor does it matter from his personal or ARIN perspective. He wants to make sure ARIN stays focused. The President stated that there was a major risk in the past when the migration from IPv4 to IPv6 was happening, but that the fee schedule was adjusted to mitigate.

Carter stated that she felt Risk 23, cyber, is low in her opinion. She noted that all cyber issues should be considered a higher risk. She also suggested that a general reputational risk is not on the register (i.e., staff or volunteer misbehavior) and should be considered by the Risk Committee.

(Exhibits F, G)

Governance Committee Co-Chair Carter noted that at the most recent Governance Committee meeting these documents were discussed and approved and they are now asking for the Board to approve and be sent to the Nomination Committee.

It was moved by Nancy Carter, and seconded by John Curran, that:

“The ARIN Board of Trustees approves the recommended 2024 Guidance Letter and Nominee Questionnaire, as written.”

The Chair asked for discussion. There was none.

The motion carried with all in favor with the exception of Mr. Tacit who abstained.

5. Approval of 2024 Strategic Risk Review Memo.

(Exhibit H)

Risk and Cybersecurity Chair Seastrom stated that the Risk and Cybersecurity Committee have reviewed the Risk Registry in its entirety and has identified the top items to review at the August Workshop. He stated that they will be discussed further in a deep dive, but he went through the risks picked for the memo and noted the reasoning why the Risk and Cybersecurity Committee made their choices with the President adding in their importance.

Harrison asked if under Insider Threat Risk, should the risk also include external threats (fraud and cyberthreat) in the Risk Register. The President noted that they appear under Risk 5, but he will work to update the Register to reflect the specific requests pointed out by Carter earlier in the meeting and the ones pointed out by Harrison.

Kilmer commented that the larger conversation in August should include a discussion about ARIN and its role related to governments.

Risk and Cybersecurity Committee Chair Seastrom noted that the Risk and Cybersecurity Committee had an outstanding action item from a previous Board Trustee to review highly unlikely or “never” events. He noted that the Committee has decided to update the Charter to review such events and consider all Trustee input twice a year.

Alexander stated that he wanted the risk of takeover to be added to the Risk Register. The President stated that the Governance Committee’s action item on that included providing a definition of takeover and possible mitigation steps.

Carter applauded the Committee for the hard work done on this risk strategy memo. She however thinks that a Board agenda item should occur annually for additions or newer events to be discussed. The President stated that there is a brainstorming session annually or twice annually for the Risk and Cybersecurity Committee and this will be added to the Risk and Cybersecurity Committee Charter. He was confused if she was asking if she wanted the entire Board of Trustees to review the Risk Register with the President. It was clarified that the Risk and Cybersecurity Committee reviews the Risk Registry and provides their input and reports throughout the year. Additionally, the Risk and Cybersecurity Committee will do a full, comprehensive review of the Risk Register on an annual basis and will invite the entire Board to this annual review. The Committee will provide a draft annual report that will be provided to the full Board. Further, the Risk Register will be made available to all Trustees to view and ask questions when it is presented to the full Board.

It was moved by Rob Seastrom, and seconded by Chris Tacit, that:

“The ARIN Board of Trustees hereby accepts the 2024 Strategic Risk Review, presented by the Risk and Cybersecurity Committee.”

The Chair asked if there was any further discussion. There was none.

The motion carried unanimously.

6. ARIN Policy Ratifications.

(Exhibits I, J, K)

At their meeting on 16 May 2024, the ARIN Advisory Council recommended the following policies for Board adoption:

  • Recommended Draft Policy ARIN-2023-6. The President stated that the draft policy is adding one line on the requirements being added to the waitlist. This draft policy went to ARIN 53 where it was looked upon favorably, then went to the AC meeting, and followed up with staff and legal review with no concerns.

    It was moved by John Curran, and seconded by Tina Morris, that:

    “The ARIN Board of Trustees, based upon the recommendation of the ARIN Advisory Council, and noting that the ARIN Policy Development Process has been followed, adopts ‘Recommended Draft Policy ARIN-2023-6: ARIN Waitlist Qualification’.”

    The Chair called for discussion. There was none.

    The motion carried, via roll call vote.

  • Recommended Draft Policy ARIN-2023-1. The policy went forward at ARIN 53 to retire the section and it was also looked upon favorably.

    It was moved by John Curran, and seconded by Hank Kilmer, that:

    “The ARIN Board of Trustees, based upon the recommendation of the ARIN Advisory Council, and noting that the ARIN Policy Development Process has been followed, adopts ‘Recommended Draft Policy ARIN-2023-1 Retire 4.2.1.4 Slow Start’.”

    The Chair called for discussion. There was none.

    The motion carried, via roll call vote.

  • Recommended Draft Policy ARIN-edit-2024-3. This policy corrects a typo in NRPM to change the word from “it” to “in”. The proposal was made by the AC and does not have to go to a meeting so coming directly to the Board for adoption.

    It was moved by John Curran, and seconded by Dan Alexander, that:

    “The ARIN Board of Trustees, based upon the recommendation of the ARIN Advisory Council, and noting that the ARIN Policy Development Process has been followed, adopts ‘ARIN-edit-2024-3: Edit 6.5.8.3 Section 2’.”

    The Chair called for discussion. There was none.

    The motion carried, via roll call vote.

7. Any Other Business.

The Chair asked for any other business.

  • ICANN staff reduction. The President stated this change was made under the current acting ICANN CEO, and there is a note on the ICANN website explaining that this was done due to a sizeable revenue change forecast.

8. Executive Session.

The Board moved into Executive Session at 1:45 pm ET.

9. Adjournment.

A motion to adjourn was made by Rob Seastrom, and seconded by Chris Tacit. The meeting adjourned at 2:39 pm ET.