Summary
- Mutual aid among the five regional internet registries is justified when it preserves authoritative records, account access, reverse DNS, transfer state, public directory services and routing-security functions during a defined operational emergency.
- The same assistance can create mutual immunity if incumbent boards control the trigger, peer approval substitutes for independent fact-finding, support finances a disputed leadership position, or emergency arrangements continue without a public scope, expiry, review route and handback test.
- A legitimate compact would separate a rapid service-rescue decision from any judgment about governance, fault, recognition or leadership; appoint an independent reviewer; protect resource holders from political pressure; disclose non-sensitive reasons and costs; and require renewal only after evidence that the emergency remains operationally necessary.
The midnight call and the morning-after question
Imagine a regional internet registry loses access to critical systems on a Friday night. The cause may be a cyberattack, a court order, sudden staff departure, political violence, financial failure or an internal conflict that has made ordinary authority uncertain. Network operators still need account access. Registration data must remain accurate. Reverse-DNS delegations may need attention. Transfers already in progress cannot simply disappear. RPKI publication and certificate administration may carry routing consequences. Waiting for a perfect institutional settlement would be reckless.
The other RIRs should help. They may lend engineers, provide infrastructure, preserve data, advance funds, offer security expertise or maintain a narrow service until the affected organization recovers. Their common experience makes them unusually capable of acting quickly. Mutual aid is not an embarrassing exception to decentralized governance. It is part of responsible stewardship for a system whose regional components depend on one another.
The harder question arrives the next morning. Who decided that the event was an operational emergency rather than a contested governance dispute? Which services may the assisting institutions touch? Whose instructions can they accept? Does the aid preserve neutral operations or strengthen one side's control? Who can inspect the evidence? When does the arrangement end? Can the affected registry's board renew support for itself? What happens if the board's conduct is one reason assistance became necessary?
These are not reasons to delay urgent technical help. They are reasons to split the decision. Service rescue should be fast, conservative and reversible. Institutional judgment should be slower, independent and reasoned. Combining them creates the risk that the people best placed to restore systems become, by necessity or habit, the people who validate the incumbent institution.
The Joint RIR Stability Fund makes the issue concrete. The NRO describes long-standing mutual support among RIR executives and staff, then formalizes board-backed assistance for serious threats to a registry's integrity or operations. It lists financial distress, loss of critical staff, natural disaster, conflict, political instability, criminal activity and serious infrastructure problems as possible scenarios. Support can be financial or in kind. The purpose is continued operation.
That is a sound starting point. It is not a complete accountability architecture. The public terms make the affected RIR board the formal requester and require unanimous NRO Executive Council approval. They require a budgeted action plan and audited financial reporting. Those controls protect the common fund. They do not by themselves provide independent review of the board's account, distinguish operational aid from institutional support or give resource holders a route to challenge overreach.
The morning-after question is therefore unavoidable: did the peers rescue a service, or did they protect one another from consequences? A trustworthy system should answer with evidence, not solidarity.
What mutual aid is for
Mutual aid has a narrow public-interest purpose. It keeps third parties from bearing the cost of a registry's disruption. A small access provider should not lose registration support because a board cannot meet. A university should not face unexplained reverse-DNS failure because a court has frozen an account. A cloud operator should not encounter contradictory transfer records because staff credentials disappeared. A hospital network should not become leverage in an institutional dispute.
The protected entity is continuity of function. The IANA overview of number resources describes the hierarchy through which IANA allocates pools to RIRs and the RIRs serve networks under policy. RFC 7020 records the distributed registry structure and the importance of accurate, unique registration. Because the hierarchy is distributed, failure at the regional layer cannot always be repaired by IANA performing ordinary RIR tasks. Peer expertise has practical value.
Legitimate mutual aid may preserve authoritative registration data, secure backups, public RDAP or Whois availability, member authentication, ticket history, reverse-DNS administration, allocation records, transfer state and carefully defined RPKI operations. It may also fund essential staff, forensic work, temporary hosting or physical security. The exact list should depend on demonstrated need.
Mutual aid is not supposed to decide who won an election, whether directors breached duties, which member faction speaks for a region, whether a court claim is meritorious, whether the registry should ultimately retain recognition or whether a neighboring RIR should inherit the territory. Those are governance, legal and status questions. Technical facts may inform them, but operational assistance does not answer them.
The distinction can be expressed as a beneficiary test. Service rescue benefits resource holders regardless of their view of the conflict. Institutional protection benefits the incumbent decision-makers first and asks users to accept that benefit as the price of continuity. If an assistance measure would be unnecessary under neutral temporary administration but is chosen because it preserves existing authority, scrutiny should increase.
A second test concerns neutrality. Suppose engineers restore a database from backup and permit authenticated holders to perform routine changes. That is neutral if the same rules apply to all and disputed high-risk changes are preserved for review. Suppose the assisting team recognizes credentials issued only by one contested leadership group, cancels access held by the other group and publishes a statement treating the dispute as settled. The technical act has become institutional alignment.
A third test is reversibility. Copying data into secure escrow, restoring a public service and maintaining logs preserve options. Changing corporate control, transferring assets, reallocating resources or permanently moving authority may foreclose them. Emergency assistance should prefer acts that a later lawful decision-maker can review or reverse.
The need for speed does not eliminate these tests. It makes pre-agreement essential. The RIRs should know before the next crisis which functions are presumptively safe, which require a second authorization and which cannot be performed as mutual aid at all. A prepared boundary allows engineers to act faster because they do not need to invent constitutional authority during an outage.
The existing promise is stronger on money than independence
The Stability Fund is valuable because it turns informal solidarity into a public commitment. Each RIR pledges support, requests must be documented, activities outside registry or policy-development functions generally do not qualify, and approved spending must follow concrete plans. Joint accounting by RIR finance officers creates a measure of control. These features make assistance more reliable than an improvised private arrangement.
The model is nevertheless organized around insiders. The affected board requests help. The five RIR executives decide unanimously. RIR finance officers manage the allocation. Those actors may be entirely responsible and still lack independence from the institutional interests at stake. Mutual aid asks peers to support a peer. Independent review asks someone outside that reciprocal relationship to test whether the support is being used for its stated purpose.
Reciprocity changes incentives. Every RIR knows that it might one day need help. That knowledge encourages generosity, which is desirable. It can also discourage hard questions. An executive deciding whether to challenge another registry's account may imagine how the same challenge would feel during a crisis at home. A board may hesitate to condition aid on governance disclosure because it would not want those conditions applied to itself. Mutual assurance can quietly become mutual forbearance.
Unanimity does not solve the problem. It proves that all five executives agree, not that an independent reviewer verified the trigger. In some cases unanimity may make aid too slow. In others it may amplify the appearance that the RIR family has validated the affected institution. A unanimous emergency grant can be technically prudent and evidentially weak at the same time.
The public terms also allow a formal request by the affected RIR's board. That is sensible for a natural disaster or external attack. It is less satisfactory when board legitimacy, conflicts, financial control or refusal to act forms part of the crisis. A board cannot be the exclusive gateway to assistance needed to protect users from that board's paralysis. Nor should a rival faction obtain assistance merely by making accusations. An alternative trigger needs independent verification.
Financial auditing is necessary but incomplete. An audit can show that money purchased hosting, salaries or incident response. It may not show whether those purchases entrenched disputed control, whether the service scope was excessive, whether data access was lawful, whether less intrusive assistance was available or whether the emergency continued long enough to justify renewal. Compliance with a budget is not the same as legitimacy of purpose.
The fund's own language points toward a solution. It describes support as an extra insurance measure for registry stability and emphasizes public assurance of governance, risk management, community support, reserves and insurance. Insurance responds to a defined loss. It does not ordinarily decide a corporation's constitutional dispute. Treating the fund as service insurance clarifies why an independent adjuster-like function is appropriate.
That function should not obstruct the first hours of rescue. It should begin at activation, receive evidence immediately and issue a preliminary scope check within days. Its presence would protect the assisting RIRs as well as the public. They could show that technical solidarity did not require them to endorse a contested board or conceal a governance failure.
The dangerous sentence: “We are only helping operations”
Operational language sounds neutral, but operations embody authority. Someone decides which account holder is authentic, which employee receives privileged access, which transfer is routine, which certificate action is valid, which invoice should be paid and which public statement describes current control. In a stable organization those decisions are mundane. In a crisis they can determine who governs.
Consider identity. If the affected registry's corporate officers are disputed, an assisting RIR must still decide whose credentials can authorize sensitive changes. Accepting the incumbent credential directory may favor one side. Rebuilding identity from member records may create a new authority. Freezing every privileged action may protect neutrality but harm users. There is no purely technical answer; there are better and worse procedures.
Consider data custody. Copying registration data for continuity may be essential. The data may include non-public contact details, account history, supporting documents, security material and dispute records. Peer access expands the circle of trust and may cross jurisdictions. The RIR Governance Matrix shows that the five organizations operate under different legal frameworks and document different governance and dispute arrangements. Mutual aid needs a stated legal basis, access limits, retention rule and deletion or return procedure.
Consider money. Paying essential engineers can preserve service. Paying directors' litigation costs or public-relations advisers may protect an institution. Paying rent for a secure operations center may be necessary. Advancing general corporate funds without ring-fencing can release other money for contested purposes. A narrow budget can still have wider effects.
Consider RPKI. RFC 6480 describes an infrastructure in which certificates and signed entities support route-origin validation. Assistance affecting certification or publication must avoid contradictory authority and unexpected relying-party consequences. A peer cannot treat the work as an ordinary website restore. At the same time, the sensitivity of RPKI should not become a reason to endorse whichever group currently holds credentials. Conservative continuity may require limited action, explicit logs and an independent authority determination.
Consider communications. A peer statement that “services remain available” is an operational assurance. A statement that “the legitimate leadership has requested and received support” makes a governance claim. Even a logo arrangement or named signatory can signal recognition. The assistance plan should distinguish status reporting from institutional advocacy.
The sentence “we are only helping operations” is therefore a claim to be tested, not a safe category. The reviewer should trace each aid measure to a named service and ask what institutional effect it creates. Some effects will be unavoidable and proportionate. Others can be reduced through neutral custody, dual authorization, transaction classes, redaction, temporary freezes or an independent administrator.
This is why transparency must describe functions rather than rely on labels. The public does not need exploit details or privileged legal advice. It needs to know that assistance covers, for example, public registration availability, existing-holder authentication and preservation of open transfer requests; that disputed control changes are excluded; that access is logged; and that the arrangement expires on a stated date. Concrete scope makes neutrality assessable.
Rescue and judgment need separate clocks
An outage clock is measured in minutes and hours. A governance review clock is measured in days and weeks. A recognition or derecognition clock may run longer. Trying to force all three onto one schedule produces either dangerous delay or unexamined power.
The first clock should authorize a minimal rescue envelope. A pre-approved incident team could preserve systems, secure credentials, activate backups, maintain public directory access and prevent irreversible changes. The authority should last only long enough for facts and legal control to be assessed. Every action should be logged from the beginning.
The second clock should begin immediately but need not finish before rescue. An independent reviewer should verify the trigger, examine conflicts, identify affected services, hear the affected registry and resource-holder representatives, and recommend the proper scope. The reviewer should publish a short non-sensitive determination. If the initial aid exceeded the justified scope, it should be narrowed without abandoning users.
The third clock concerns institutional status. Compliance restoration, board legitimacy, recognition, derecognition, succession and permanent transfer require their own procedures. Emergency assistance may supply evidence, but it must not prejudge the result. A registry that needs help can remain entitled to operate after recovery. A registry that maintains services through aid can still fail governance obligations. Service success and institutional compliance are different findings.
This temporal separation is reflected imperfectly in newer public materials. ICANN's Implementation and Assessment Procedures for ICP-2 Compliance, ratified in December 2024, describes investigation, attempts to restore compliance and coordination with the other RIRs if operations cannot be restored and an emergency provider is needed. The procedure recognizes both remediation and continuity. It does not turn every operational problem into immediate removal.
The August 2025 second draft RIR Governance Document goes further by describing emergency continuity, ongoing obligations and a possible handoff. It is a draft, not settled authority. Its importance lies in treating assistance, rehabilitation and status as distinguishable stages. The Q1 2026 status report also records continuing discussion about emergency triggers, duration, renewals and resource-holder protections.
The final design should make the clocks explicit. An emergency activation should state its hour and scope. Independent review should have a near-term deadline. Any extension should require fresh evidence. Institutional proceedings should follow their own notice and review rules. The public should never have to infer that temporary technical aid has silently become recognition of permanent control.
Independence must be designed, not declared
An independent reviewer is not independent merely because current RIR employees are excluded. Independence has financial, appointment, informational and relational dimensions. A panel paid entirely at the discretion of the NRO Executive Council may hesitate to oppose it. A reviewer selected after a crisis by the assisting institutions may appear chosen for the expected result. A respected community veteran may still have deep ties to boards, vendors or factions.
The review function should be standing rather than improvised. Members could be appointed for staggered terms through multiple channels: a limited number by RIR communities, a limited number by ICANN's established mechanisms and a limited number through an open selection for independent technical, legal, audit and public-interest expertise. No appointing group should control a majority. Current RIR directors, executives, senior staff, material vendors and active litigants should be ineligible.
Conflict disclosure needs specificity. Prior employment, consulting, funding, close professional relationships, public advocacy and current regional roles should be disclosed. Recusal rules should prevent a reviewer from assessing a former employer or a dispute in which the reviewer has taken a material position. Replacement members should already be identified so recusal does not halt urgent work.
Funding should be assessed in advance and held separately from the assistance decision. The reviewer should have access to its budget without seeking permission from the executives whose action it examines. Compensation should be public in aggregate. Staff support and secure evidence facilities should be available before activation.
Information access is equally important. The reviewer needs incident reports, assistance requests, budgets, access logs, relevant board records, continuity plans, legal authority for data sharing and explanations of excluded alternatives. Privilege and security can be protected through confidential procedures, but they cannot become blanket reasons to withhold every decisive fact. The public determination can summarize evidence without exposing vulnerabilities or personal data.
Standing to submit evidence should extend beyond the affected board. Senior operational staff, member-elected representatives, verified resource holders, auditors, the assisting RIRs, ICANN and relevant lawful authorities may possess material facts. The reviewer should guard against volume campaigns and unsupported claims, yet a board should not control the evidentiary door.
Independence also requires remedial limits. The reviewer should not run the registry, allocate numbers or select a permanent board. It should verify the mutual-aid trigger, approve or narrow scope, recommend safeguards, monitor expiry conditions and refer separate concerns to the proper process. A focused mandate makes prompt review possible and avoids creating another unaccountable center.
Finally, there must be review of the reviewer. A party materially affected by a scope determination should be able to seek reconsideration for factual error, conflict or departure from the published procedure. That review should be expedited and should not automatically suspend essential service measures. Independence is credible when power remains bounded at every layer.
A public record that does not expose the network
Registry emergencies can involve exploitable security facts, personal data, active investigations and privileged advice. Radical disclosure during an incident could worsen the harm. Secrecy, however, cannot be the default answer to every accountability question. The solution is structured transparency.
An activation notice should identify the affected registry, the general trigger category, the services at risk, the assisting parties, the legal or contractual basis, the start time, the initial expiry, the reviewer and a contact for affected resource holders. It should state what is not authorized. It need not reveal attack indicators, administrator identities, security architecture or confidential member records.
A scope schedule should list functions in operational terms. It might authorize preservation of registration data, maintenance of RDAP availability, routine authenticated updates, reverse-DNS support, specified RPKI publication continuity and preservation of pending requests. It might reserve changes involving disputed control, bulk transfers, revocation, board credentials, asset disposition or permanent migration. The actual categories will depend on the event; publishing them reduces rumor.
A financial notice should state the amount or range committed, whether support is cash or in kind, the cost categories, ring-fencing controls and the next reporting date. It should not expose salaries or vendor-security details unnecessarily. If the assistance comes from pledged reserves under the Stability Fund, the public should be able to trace the authorization and later audited use.
A review notice should summarize the evidence considered, material conflicts, the finding on operational necessity, the least intrusive measures considered and unresolved uncertainty. Where facts are disputed, the notice should say so. The reviewer should distinguish verified service impact from allegations about institutional fault.
Renewal should never be automatic. A renewal notice should show what has improved, what remains impaired, why ordinary control cannot resume, which measures are being narrowed, the cumulative cost and the next handback test. Repeating the original explanation is not enough. Time should increase the burden of justification because a temporary arrangement can reshape authority through practice.
At closure, a report should describe the duration, services maintained, material incidents, expenditures, data disposition, restored authority, outstanding disputes and lessons for future readiness. Security-sensitive details can remain protected or be published later. The existence of a closure record is essential: it confirms that mutual aid ended rather than dissolving into an undocumented new normal.
This layered approach is more informative than publishing broad assurances and safer than releasing raw incident material. It gives operators what they need to understand service risk, gives members what they need to assess institutional effect and gives future reviewers an audit trail.
Time limits are constitutional controls
Every emergency measure should expire. This is not administrative tidiness. Expiry prevents the exceptional authority created for rescue from becoming ordinary governance without a new decision.
The initial period should be short enough to force early review and long enough to stabilize immediate services. The precise duration may differ by incident class. A natural disaster with intact board authority may justify a straightforward operational extension. A conflict over corporate control should require more frequent review because every assistance act can affect the dispute. A prolonged regional conflict may require repeated support but also stronger neutral-custody arrangements.
Renewal should require four findings. The operational risk remains material. The assisted services remain necessary. Less intrusive or ordinary arrangements are not yet sufficient. The continuation does not improperly determine a separate governance or status question. Each finding should rest on current evidence.
Assistance should narrow over time. Emergency hosting may continue while privileged identity support returns to the registry. Public directory service may remain assisted while ordinary billing resumes. A forensic team may finish its work after member support functions are restored. Treating aid as one indivisible package encourages unnecessary persistence.
There should also be a cumulative threshold. Once assistance passes a defined duration or value, a deeper institutional review becomes mandatory even if each short renewal can be justified. Long dependence may indicate that the organization lacks operational capacity, financial stability or lawful control. The conclusion may be rehabilitation rather than removal, but the issue cannot remain framed as a sequence of temporary incidents.
Handback needs objective tests. Systems are available. Authorized staff are in place. Credentials are reconciled. Data integrity is verified. Service backlogs are manageable. Legal authority to operate is sufficiently clear for the functions being returned. Security risks are within accepted bounds. Resource holders receive notice. Logs and records transfer under controlled custody.
Handback should not require political harmony. Organizations often resume service while disputes continue. The test is whether ordinary authorized operations can function safely, not whether every member accepts the board. Conversely, a public claim of restored normality should not end aid if the technical conditions remain false. Independent verification protects both sides.
Expiry also constrains the assisting RIR. A peer that has built systems, hired staff or gained regional knowledge may prefer continued involvement. Its competence does not create entitlement. Any permanent service or territorial role should follow a separate, competitive and regionally legitimate process.
Resource holders must not become votes
During an institutional crisis, each side may claim to represent the community. Resource holders can then be treated as evidence rather than as users. Continued access may be portrayed as endorsement of the incumbent. Requests for help may be portrayed as support for a challenger. Silence may be counted as consent. This is unacceptable.
Mutual aid should include a non-attribution rule. Using emergency services, paying ordinary fees, authenticating an account, submitting a transfer request or communicating with the temporary operator must not be treated as political support for any board, candidate or status outcome. Service is a right or contractual expectation, not a plebiscite.
Holders need stable notice. They should know which services are available, which are delayed, how to authenticate, how existing requests are treated, how to report errors and where to seek review. If a service is frozen, the reason and expected review point should be stated. Generic assurances are not enough when routing and commercial transactions depend on the answer.
Disputed records require special treatment. A temporary operator should preserve the current authoritative state unless a clearly authorized and verified correction is available. It should record the dispute, secure the evidence and avoid irreversible changes. That conservatism protects against capture by either faction. It should not become an indefinite denial of legitimate correction; a neutral review route is necessary.
Fees should be stable and ring-fenced where possible. An emergency operator should not impose strategic price changes or use payment as a loyalty test. Necessary cost recovery can be approved transparently. Arrears and contested charges should retain their prior posture rather than being opportunistically enforced or forgiven.
Appeal rights must survive the crisis. Existing deadlines may need tolling if records or decision-makers are unavailable. A holder should not lose a claim because the registry could not receive it. New emergency decisions should have an expedited challenge route, especially for authentication, transfer preservation, revocation and RPKI actions.
Privacy protections must follow the data. Peer assistance does not erase the affected registry's obligations or the expectations under which holders provided information. Access should be role-based, logged and limited to the assisted functions. Data copied for rescue should be returned or securely disposed of when no longer needed, subject to lawful preservation.
These protections keep mutual aid aligned with its beneficiary. The clearest proof that assistance is not institutional immunity is that users receive continuity without surrendering their neutrality, evidence or right to complain.
Hard cases reveal the boundary
A natural disaster destroys an operations site but leaves lawful governance intact. The boundary is relatively simple. Peers can host services, lend staff and restore backups under the board's authority. Independent review can be light but should still verify scope, data custody and closure.
A cyberattack compromises privileged credentials, and no one knows which instructions are genuine. Assistance must be more conservative. The board may be legitimate but unable to authenticate itself. The reviewer should support a neutral identity-recovery procedure, prevent high-risk changes and avoid treating possession of surviving credentials as proof of authority.
A registry faces financial distress after years of poor oversight. Paying engineers and infrastructure may protect users. Unrestricted cash to the same leadership may postpone accountability. Aid should be ring-fenced, milestones should be public, and a separate governance assessment should begin. The peer group should not condition service rescue on absolving the board, nor use financial leverage to select a successor.
A court order restricts an account or challenges corporate control. The RIRs should obtain competent legal analysis in the relevant jurisdiction and preserve global registry coherence. They should not describe the court as a threat merely because its order inconveniences the institution. If a narrow technical accommodation can comply while protecting uniqueness, it should be considered. If an order would create contradictory records, the specific conflict should be explained through proper legal channels.
A political conflict prevents staff from reaching facilities. In-kind assistance may need to last longer, with heightened personal-security and data-transfer safeguards. The fact that a government is involved does not automatically validate or invalidate the registry's leadership. Neutral service continuity and institutional judgment remain separate.
A board refuses to request help even as critical services degrade. The board-gateway rule fails. A verified request from senior operations staff, an auditor, ICANN or a defined group of resource holders should be able to trigger an independent emergency assessment. Activation against the board's wishes should require a higher evidentiary threshold and a narrow initial scope.
A rival group requests aid while services remain stable. Mutual aid should not become a route to external intervention. The reviewer can reject activation, preserve evidence and refer governance allegations to the appropriate forum. A complaint is not an outage.
An assisting RIR performs so well that some members want it to remain permanently. Emergency competence is relevant evidence but not a mandate. Permanent recognition or regional restructuring requires a distinct process with fair consideration of alternatives, regional support and conflict controls.
These cases show why one broad concept of “stability” is inadequate. Stability may mean uptime, record integrity, lawful authority, financial endurance, member legitimacy or regional peace. Measures that improve one can damage another. Independent review forces the decision to name which stability is being protected.
Peers are essential witnesses, not neutral judges
The assisting RIRs will often possess the best evidence about whether an operational claim is plausible. They know what a functioning registry must exchange with its peers. They can distinguish a cosmetic outage from a loss of essential capability. They understand how transfer coordination, reverse DNS, public registration and routing-security services behave in practice. Any serious review should use that expertise.
Expertise and neutrality are different properties. A peer may accurately diagnose a failed service while holding an institutional interest in the legal interpretation attached to that diagnosis. It may prefer a remedy that preserves familiar coordination arrangements. It may fear that criticism of one RIR will create expectations for the others. It may have shared vendors, joint programs, staff relationships or prior public positions. None of this disqualifies the evidence. It changes the weight assigned to conclusions about fault, scope and institutional consequence.
The review design should therefore treat peer submissions as expert testimony. Each assisting RIR should identify observed facts, technical inferences, recommended measures, known uncertainty and institutional interests. If all five agree, the agreement is relevant. It is not self-proving. The reviewer should be able to ask whether the same operational result could be achieved through a narrower measure or a different temporary operator.
Evidence should be reproducible where security permits. A claim that registration integrity is at risk might be supported by reconciliation failures, unavailable systems, missing logs or inability to authenticate current data. A claim that RPKI continuity requires intervention might be supported by publication status, certificate timelines and controlled tests. A claim that current staff cannot resume service might be supported by access, staffing and authority records. “The peers are concerned” is not a substitute.
The affected RIR should be able to answer. It may show that a peer misunderstood a local system, overstated a dependency or proposed a measure inconsistent with applicable law. Operational staff may disagree with the board. A lawful authority may impose constraints that are invisible from another jurisdiction. The reviewer needs a process for testing those differences quickly rather than converting RIR consensus into a factual presumption.
Possible temporary providers should also be assessed neutrally. The nearest RIR may have mature systems and established trust, making it the best immediate choice. A commercial contractor may have useful infrastructure but lack public-interest authority. A regional technical consortium may have local knowledge but limited public evidence security controls. An independent custodian may preserve data without being able to serve users. The selection record should explain capability, conflict, speed, cost and reversibility.
Peer evidence becomes especially sensitive when it concerns compliance. An RIR may report that another cannot meet a common standard. That report should identify the standard, observed departure, operational impact and remedy attempted. It should not leap from a failed test to a recommendation about recognition unless the governing procedure authorizes that conclusion and separate evidence supports it.
Treating peers as witnesses protects their proper role. They can speak candidly about technical risk without being forced to decide a colleague's legitimacy. They can offer urgent help without claiming judicial neutrality. They can disagree about scope while cooperating on preservation. The independent reviewer gains high-quality evidence while retaining responsibility for the boundary between rescue and protection.
The mutual-aid compact the RIR system needs
A revised compact should begin with a service-first statement: the purpose of mutual aid is to protect resource holders and the integrity of the Internet Numbers Registry System during a defined disruption. Assistance does not imply approval of the affected institution's governance, legal position, recognition status or leadership.
It should then create two activation routes. The ordinary route begins with a documented request from the affected board. The protective route begins with credible evidence from defined alternative actors when the board cannot or will not act. Both routes permit a minimal emergency envelope and trigger immediate independent review.
The compact should publish a catalogue of aid functions. A green class would cover presumptively reversible preservation and availability measures. An amber class would cover actions with significant rights or authority effects and require reviewer approval. A red class would exclude permanent status decisions, asset transfers, political endorsements and irreversible resource changes from mutual-aid authority.
Every activation should have an incident lead, a reviewer, a budget, a data-protection schedule, an action log, a public notice, an expiry and a handback plan. The affected board, assisting RIRs and reviewer should sign different parts because their responsibilities differ. No signature should be allowed to imply agreement on contested institutional facts beyond its stated purpose.
Renewal should require current operational evidence and reviewer approval. A board should not renew support for itself. The assisting RIRs may propose continuation but should not be sole judges of their own expanded role. After a cumulative threshold, an external compliance assessment should be mandatory.
The compact should protect dissent. An RIR that questions scope should be able to publish a reasoned view without being accused of abandoning continuity. A reviewer should be able to narrow aid without taking a position against the affected institution. Resource holders should be able to complain without losing service. Technical staff should have a protected channel for reporting misuse.
It should also require exercises. The five RIRs can test secure data transfer, identity recovery, public-directory continuity, transaction logging, communication and handback without simulating political conclusions. Exercises should include an observer from the review function and publish non-sensitive lessons. A compact never tested is a promise to improvise.
Finally, the arrangement should fit the wider recognition framework without being absorbed by it. ICANN compliance procedures, NRO coordination, regional corporate law, member rights and technical standards have different roles. Mutual aid should feed facts into those processes, not replace them. A clean boundary makes every institution more credible.
Solidarity that can survive scrutiny
The RIRs are right to promise one another help. A registry system that abandoned a region at the first sign of trouble would fail the networks it exists to serve. Shared expertise, funds and infrastructure can prevent a local crisis from becoming a global operational problem.
Solidarity becomes durable when it accepts scrutiny. The affected RIR should welcome a record showing that assistance was necessary and bounded. The assisting RIRs should welcome protection from the claim that they chose a faction. ICANN should welcome evidence that continuity did not predetermine status. Resource holders should see that their services, not an institutional family, were the beneficiary.
Independent review will occasionally slow or narrow what executives prefer to do. That is the point. It should not prevent immediate preservation measures. It should require the broader intervention to earn authority. Speed and accountability can coexist when their clocks and mandates are designed in advance.
Transparency will occasionally reveal uncertainty. That is healthier than manufactured unanimity. A notice can say that service risk is verified while corporate authority remains disputed. It can say that data has been preserved while a transfer class remains frozen. It can say that financial aid is necessary while causes are still under examination. Precision builds trust.
Time limits will occasionally force a difficult renewal. That too is healthy. If aid remains necessary, current evidence should show why. If it has become an ordinary operating arrangement, the system should name that change and use the proper institutional process. Temporary authority should never mature through silence.
The central discipline is simple to state: rescue the service, preserve the evidence, protect the user and leave judgment to a separate forum. In practice it requires interfaces, people, money, conflict rules, logs, public notices and rehearsed handback. The work is substantial because the dependency is substantial.
Mutual aid and mutual immunity can look identical in the first hour. Both may restore a service and mobilize peer support. They diverge over time. Mutual aid narrows, explains itself, submits to independent examination and ends. Mutual immunity broadens, invokes solidarity, treats peer consensus as validation and makes expiry elusive.
The RIR system does not need less cooperation. It needs cooperation with an outside edge: a place where evidence can be tested, conflicts can be named and assistance can be separated from absolution. That edge would make technical solidarity stronger, not weaker. It would prove that the five registries can protect one another's essential services without promising to protect one another from accountability.

