Launched in 2012, the Universal Postal Union’s .POST Group (DPG) celebrates its 10th anniversary this year. DPG traces its roots back to the late 1990s when visionaries in the postal sector – led by Sweden, Canada, France, and Italy – believed that the internet would become a significant part of people’s lives, and that important industries such as the postal sector should have a stake in its development.To represent the postal sector on the internet and provide posts with a secure and reliable space to develop internet-based services, the DPG was formed at the Doha Congress in 2012. The group steers the UPU’s .POST sponsored top-level domain name and manages the development of .POST and the services it offers. The UPU became the first international organization to obtain a sponsored top-level domain name from the Internet Corporation for Assigned Names and Numbers (ICANN) in 2009.
The founding member countries were Italy, Morocco and Malaysia, funding the initial launch in 2012. In 2013, at the first meeting of the group, a further 22 member countries joined them in supporting the project. Since 2012, more than 55 countries have contributed to the development of .POST, as well as 10 private sector companies. Furthermore, there were seven .POST domains registered in 2012, and now there are almost 100.
“The first service launched on .POST in 2012 was for the global track and trace of all mail items in the UPU network,” explains Paul Donohoe, Manager of the UPU’s Digital Policies and Trade Programme. “Since then .POST has been used by the UPU’s Postal Technology Centre (PTC) to secure all its cloud products – IPS.POST, IFS.POST, CDS.POST, DPS.POST. More than 30 posts have also registered .POST domains and this continues to grow.”
DPG is open to all UPU member countries who can join as full members, and to companies and associations in the wider postal industry which join as associate members and agree to the group’s Rules of Procedure and Code of Ethics.
A helping hand
According to Massimiliano Aschi, DPG Chairman, cooperation among designated operators has been key to the success of .POST. “We operate our business as a highly integrated worldwide network of networks and we are all aware that the level of cyber-security we can reach is as high as the security level of the weakest link in our value chain,” he explains. “We need to provide a coordinated, uniform answer to the forthcoming threats to our digital business and to sustain the trust our customers place in us by providing them with state-of-the-art, secure, digital services.”
And this is exactly what .POST has done. During the first ten years of its existence, the group has built up an overall strategy, which lays down a robust set of security policies and technical infrastructure to deliver innovative security services to its constituency.
“Posts took advantage of .POST security features to enter e-commerce,” says Donohoe. “The development of e-philately in many developing countries was driven by the capabilities that .POST provided. The early adopters of this were from Uruguay, Tanzania, and the Netherlands.”
Speaking at a recent webinar hosted by the DPG, Engineer Kulwa Fifi, the acting manager of e-business at Tanzania Posts Corporation (TPC) detailed how thanks to using .POST to develop its e-commerce site for stamps (stamps.tz.post), the Post has not experienced any issues with regards to hacking or payment security. “Due to this security we encourage all post offices to use the .POST domain and join the group to make their services more secure,” he said.
Many posts have used .POST to sell more than just stamps. TPC being one of them with its https://postashoptz.post e-commerce site, which sells everything from fashion, electronics and groceries to stationery and arts and crafts. Another post that has ventured into this space thanks to .POST is Zimbabwe Posts (Zimpost), which launched Zimbabwemall.post – a fully integrated e-commerce marketplace that is supported by a responsive delivery solution – in 2017.
According to Zimpost, the online mall provides four main revenue areas for the Post – online shopping, online advertising, last mile delivery and warehousing. Currently there are about 138 e-sellers on Zimbabwemall.post and 479 different products being sold.
Speaking about why Zimpost chose to use .POST, Golden Chisi, ICT infrastructure Manager, said, “.POST provided the necessary platform for Zimpost to develop other business opportunities and increase its visibility on the global market. Zimpost joined the DPG to benefit from security and interconnectivity which are strong foundations for digital services using the .POST top level domain infrastructure.”
Others like Macao, took advantage of the security capabilities of .POST and launched e-government portals offering a secure electronic post box for public and private use including for all administrative documents with the government. And recently, private sector members of the DPG have explored innovative new projects in blockchain, digital identity and big data.
Over the past 10 years, as more and more postal services went online, cybercrime exploded. This has provided an additional challenge for posts and one that the DPG has worked hard to provide assistance for. “The growth of the internet has meant that cyber-attacks represent a borderless challenge to companies operating online. So whilst the security features of .POST are important, it is necessary to place a greater emphasis on the adoption and use of these security features to protect the postal industry,” says Aschi.
Over the years, the DPG has provided extensive cyber security training and awareness activities to its posts. According to Aschi, the group is set to “intensify and diversify” its cyber-security activities in the coming years to address the needs of both the least and most-developed countries.
“In the next few years, the DPG will play the role of a “cyber-security digital enabler” for the benefit of the ones who wish to focus on service value proposition, trusting our state-of-the-art security measures for mitigating the risks of cyber-threats to materialize and disrupt operations,” he explains.
Work has already been done in this area. In 2017, for example, the UPU approved the first Cybersecurity Framework, which provided a set of advanced .POST based cybersecurity recommendations to help them reduce the risk of domain hijacking, phishing and spoofing – the leading causes of identity theft and fraud.
Furthermore, in 2020, the UPU launched the .POST Cyber Incident Response Team (CIRT), utilizing the security expertise of the PTC, to support DPG members with any cybersecurity incidents that may occur in .POST.
Also in 2020, .POST began offering cybersecurity capacity building activities. “The first cybersecurity course was offered thanks to the support of the Global Cyber Alliance,” explains Donohoe. “Over 15 posts registered to the five-week online course. The course was repeated in 2021, with a total of nine commendation certificates awarded.”
Most recently, in April 2022, .POST launched the Cybertrack.post cybersecurity compliance tool. This self-assessment web-based tool is available for all UPU members to validate their compliance to UPU cybersecurity policies. It is envisaged that Cybertrack.post will become a hub for reporting incidents to CIRT. The tool also gives posts an entry point to a new range of .POST cybersecurity services through a newly established .POST Learning Platform.
The UPU will now be hosting cybersecurity training and capacity building activities via the .POST Learning Platform, initially in the areas of .POST domain technical compliance with approved cybersecurity policies. “We plan to widen its scope in the very near future, in partnership with global cybersecurity awareness and education partners, to include cybersecurity-specific topics and issues of relevance to .POST Group members,” said Aschi.
The .POST Group plans to further expand its services portfolio over the next few years to ensure that it can continue to deliver high value services to its constituency. “Over the next 12-18 months, for example, stakeholders will be able to subscribe to services that will be offered through the .POST Shared Services Platform,” explains Donohoe. “This will include subscription-based services in the areas of secure email, secure web hosting, secure digital certificates, secure e-commerce and e-business, open data, and more.
“These services will be offered in partnership with ICANN-accredited Registrars as well as globally respected and established service providers in specific digital service areas,” he adds.
A decade on since its launch, .POST’s remit remains the same – to keep posts secure on the internet. It’s role, however, has grown in importance as more posts launch digital services and the threat of cyber-attacks increases.
“According to industry reports and reports from relevant authorities, cyber-crime and cyber-warfare scenarios are more and more real and affecting all kinds of digital business around the world. Just in the last few months, Hellenic Post, Bulgarian Posts and Ukraine’s national postal service Ukrposhta were all affected by confirmed cyberattacks, with New Zealand Post and Correios Brazil also reporting attacks in the later months of 2021. These attacks impact business, produce a financial and reputational impact, and unsettle the sense of confidence in technologies and digital services. With this in mind, .POST is needed now more than ever,” Aschi concludes.
This article first appeared in Union Postale No.2 2022.