About the Author
This article was written by Ahmar Imam with over a decade of combined experience in threat intelligence, identity protection, and incident response. Ahmar is a founder of D3C Consulting, where his team monitors emerging attack campaigns daily and works directly with enterprise security teams and individual consumers to mitigate data breach risks.
Reviewed by: Senior Threat Intelligence Analyst | Certified Information Security Professional (CISSP) | Identity Management expert
You locked your data behind strong encryption. AES-256. RSA-2048. The best your IT team could buy. You figured: if a hacker steals it, they can’t read it. You were right, for now.
But here’s the problem. Nation-state hackers and cybercriminal groups aren’t trying to break your encryption today. They know they can’t, not yet. Instead, they’re quietly collecting your encrypted data and storing it. Waiting. Biding their time until quantum computers are powerful enough to crack open everything in minutes.
This attack strategy is called “harvest now, decrypt later” (HNDL). It is also known as the “store now, decrypt later” (SNDL) attack. And according to intelligence agencies across the U.S., Canada, and allied nations, it is already happening at a massive scale.
This blog breaks down exactly what this threat is, who is behind it, what data is at risk, and, most importantly, what you can do about it right now.
What Is the ‘Harvest Now, Decrypt Later’ Attack?
The harvest now, decrypt later attack is not complicated. But it is dangerous precisely because it is patient.
Here is how it works in three steps:
- Harvest: Attackers intercept and collect encrypted data in transit or breach systems to steal encrypted files. This data looks useless, it’s locked behind encryption they cannot currently break.
- Store: They store that encrypted data in massive data archives. This costs very little compared to the potential future payoff. Nation-state actors with unlimited budgets are especially well-suited for this.
- Decrypt Later: When a cryptographically relevant quantum computer (CRQC) becomes available, estimated anywhere between 5 and 15 years from now, they run algorithms like Shor’s algorithm to break the encryption and read everything.
Think of it like a bank robber who photographs the vault’s blueprints today, planning to crack the safe the moment the right drill is invented. The robbery starts long before the tool exists.
Is the harvest now, decrypt later threat real?
Yes. U.S. intelligence agencies including the NSA and CISA, as well as allied agencies in Canada and the UK, have confirmed that nation-state actors, particularly China and Russia, are actively conducting harvest now, decrypt later campaigns against government agencies, defense contractors, healthcare systems, and financial institutions.
Why Is This Threat Real Right Now?
Some people dismiss the quantum threat because a CRQC doesn’t exist yet. That’s a dangerous mistake. The harvest now, decrypt later strategy doesn’t need quantum computers to exist today. It only needs two things:
- Encrypted data worth stealing, which already exists everywhere.
- The belief that quantum computers will arrive within the data’s shelf life.
That second point is the key. Ask yourself: how long does your data need to stay confidential?
Data Type | Typical Confidentiality Requirement |
Medical records | 10–100+ years |
Government/military secrets | 25–75+ years |
Intellectual property & trade secrets | 10–50 years |
Financial data & contracts | 7–30 years |
Personal identifiable information (PII) | Lifetime of the individual |
Authentication credentials & private keys | Until changed, often years |
If quantum computers arrive in 10 years, data stolen today with a 20-year sensitivity window is fully at risk. This is not a future problem. It is a present problem.
Does my small business need to worry about quantum threats?
Yes. Small and mid-sized businesses are often targeted as entry points into larger supply chains or because they hold sensitive customer data. The most immediate steps for SMBs are to enable TLS 1.3 on all systems, upgrade to AES-256 encryption for stored data, and ask cloud and SaaS vendors about their post-quantum migration timelines.
CRITICAL ALERT
The U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and Canada’s Communications Security Establishment (CSE) have all issued formal warnings about harvest now, decrypt later attacks being actively conducted by foreign state actors against critical infrastructure, defense contractors, financial institutions, and healthcare systems.
Who Is Behind Harvest Now, Decrypt Later Attacks?
Nation-state actors are the primary threat. These are government-sponsored hacking groups with the resources, patience, and strategic motivation to collect vast amounts of encrypted data and store it for years.
The most frequently cited actors in intelligence community assessments include:
China
Through groups like APT41 and the Volt Typhoon campaign, Chinese state-sponsored hackers have been documented targeting U.S. critical infrastructure, government networks, and technology companies. Long-term data collection is a known strategy.
Russia
Russian intelligence agencies (FSB, SVR, GRU) have extensive cyber operations focused on espionage and data collection against NATO countries.
Iran and North Korea
While less advanced in quantum development, both nations collect intelligence data that could be valuable once quantum decryption tools become available or accessible through third parties.
Non-state actors, including organized cybercrime groups, may also participate, especially if quantum decryption capabilities eventually become commercially available on dark-web black markets or through nation-state leakage, similar to what happened with NSA tools in the Shadow Brokers leak.
What Data Are Hackers Targeting?
Not all data is worth harvesting. Attackers focus on data that will remain sensitive and valuable long enough to be worth decrypting when quantum computers arrive. Here is what is most at risk:
1. Government and Military Communications
Classified communications, diplomatic cables, defense contracts, and military operational plans have decades-long sensitivity windows. They are prime targets.
2. Healthcare and Biometric Data
Medical records, genomic data, and biometric identifiers (fingerprints, facial recognition data) are permanent identifiers that never expire. Once exposed, there is no way to change your DNA or reset your fingerprints.
3. Financial Systems and Transactions
Banking records, wire transfer authorizations, and financial system credentials could enable massive fraud if decrypted years later. Legacy transaction records often contain enough information to reconstruct account access.
4. Intellectual Property and Trade Secrets
R&D data, patent applications, product blueprints, and proprietary algorithms can retain enormous competitive value for decades. Pharmaceutical research is especially sensitive, the value of a drug compound’s formula doesn’t expire.
5. Authentication Infrastructure
Public key infrastructure (PKI), TLS/SSL certificates, and private keys used to sign software or authenticate systems are high-value targets. If these are decrypted in the future, it could enable retroactive impersonation or code-signing fraud.
6. Encrypted Communications in Transit
VPN tunnels, encrypted email (PGP/S-MIME), and HTTPS sessions are all interceptable at the network level. Nation-state actors with access to internet exchange points (IXPs) or major ISP backbone infrastructure can p
KEY INSIGHT
Any data encrypted with RSA, Elliptic Curve Cryptography (ECC), or Diffie-Hellman key exchange is vulnerable to future quantum decryption via Shor’s Algorithm. This includes the majority of today’s internet encryption. Symmetric encryption like AES-256 is more resistant, but key exchange mechanisms are still at risk.
The Science Behind the Threat: Why Quantum Computers Break Today’s Encryption
To understand why this threat is real, you need to understand, at a basic level, what makes current encryption work and what makes it breakable by quantum computers.
How Current Public-Key Encryption Works
Modern encryption like RSA and ECC relies on mathematical problems that are easy to do in one direction but nearly impossible to reverse. RSA, for example, uses the fact that multiplying two massive prime numbers together is simple, but factoring the result back into those two primes takes classical computers thousands or millions of years for large enough numbers.
Your encrypted bank login, VPN, and almost every HTTPS website rely on this one mathematical assumption: factoring big numbers is hard.
Why Quantum Computers Change Everything
In 1994, mathematician Peter Shor published an algorithm, now known as Shor’s Algorithm, that can factor large numbers exponentially faster using quantum mechanics. A quantum computer running Shor’s Algorithm could break RSA-2048 encryption in hours. Maybe minutes.
A second algorithm, Grover’s Algorithm, also weakens symmetric encryption like AES. While it does not break AES-256 outright, it effectively cuts its security in half, reducing AES-256 to the equivalent security level of AES-128. NIST’s recommendation in response is to upgrade to AES-256 as a minimum for long-term data.
Encryption Algorithm | Quantum Vulnerability Status |
RSA (1024–4096-bit) | Broken by Shor’s Algorithm, must be replaced |
ECC (Elliptic Curve) | Broken by Shor’s Algorithm, must be replaced |
Diffie-Hellman Key Exchange | Broken by Shor’s Algorithm, must be replaced |
AES-128 | Weakened by Grover’s Algorithm, upgrade to AES-256 |
AES-256 | Grover-resistant at acceptable security levels for now |
SHA-256 / SHA-3 | Weakened but not broken, SHA-384 or SHA-3 recommended for PQC transition |
NIST PQC Algorithms (CRYSTALS-Kyber, CRYSTALS-Dilithium, etc.) | Quantum-resistant, use these for future-proofing |
When Will Quantum Computers Arrive? Understanding ‘Q-Day’
Q-Day is the term used to describe the moment when a cryptographically relevant quantum computer (CRQC), one powerful and stable enough to run Shor’s Algorithm against real-world encryption, becomes operational.
Estimates vary widely. Here is what key institutions and experts currently say:
- The U.S. National Institute of Standards and Technology (NIST) has been operating on the assumption that Q-Day could arrive within 10 to 15 years and has already finalized post-quantum cryptography standards.
- IBM’s quantum roadmap projects 100,000+ qubit systems before 2030, though error correction remains a major hurdle.
- The NSA stated in 2022 that it expected a CRQC capable of breaking 2048-bit RSA within the decade.
- Some researchers, like Oded Regev (NYU, 2023), have published new algorithms that could make quantum decryption faster than Shor originally projected.
- China’s quantum investment has accelerated dramatically, and Chinese researchers have published papers suggesting possible near-term breakthroughs.
The honest answer is: no one knows exactly when Q-Day will arrive. But that uncertainty itself is the danger. If you wait until Q-Day is announced to start your transition, you will already be too late. Your data from before the transition will be permanently exposed.
What is Q-Day in cybersecurity?
Q-Day refers to the future moment when a cryptographically relevant quantum computer (CRQC) becomes operational and can break current public-key encryption. It is considered a critical inflection point for global cybersecurity. While the exact date is unknown, the widespread expectation of Q-Day within the next decade is what makes the harvest now, decrypt later threat urgent today.
THE MIGRATION MATH
CISA estimates that migrating large federal agencies to post-quantum cryptography will take 10–15 years. If Q-Day arrives in 10 years, the migration window has already closed for many organizations. This means the clock started years ago, and many organizations are already behind.
Real-World Examples: Is This Actually Happening?
The harvest now, decrypt later threat is not theoretical. Multiple high-profile incidents point to active data collection campaigns consistent with this strategy.
The Volt Typhoon Campaign (2023–2024)
In May 2023, Microsoft and the U.S. government disclosed a large-scale Chinese state-sponsored campaign called Volt Typhoon. The attackers infiltrated U.S. critical infrastructure, including communications, energy, transportation, and water systems, and sat quietly inside networks for months. The goal appeared to be persistent access and data collection, not immediate disruption. Intelligence analysts widely interpreted this as pre-positioning for future capabilities, including possible HNDL operations.
The SolarWinds Supply Chain Attack (2020)
The SolarWinds breach, attributed to Russian intelligence (SVR), gave attackers access to thousands of organizations including U.S. government agencies for up to 14 months. During that time, attackers had access to vast stores of encrypted communications and credentials. Whether harvested data is being stored for future decryption is unknown publicly, but the access window was consistent with data collection at scale.
OPM Breach, U.S. Office of Personnel Management (2015)
China-attributed hackers stole the complete security clearance files of 21.5 million U.S. federal employees and contractors, including fingerprints, psychological evaluations, foreign contacts, and financial data. This data will remain sensitive for decades. It is a textbook example of a long-term intelligence harvest: useless for immediate exploitation of encryption, but extraordinarily valuable when combined with future quantum decryption capabilities.
Post-Quantum Cryptography: The Solution
The good news: the solution already exists. Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from both classical and quantum computers. In August 2024, NIST officially standardized the first set of post-quantum encryption algorithms.
NIST’s Finalized Post-Quantum Standards
Algorithm | Standard & Purpose |
ML-KEM (CRYSTALS-Kyber) | FIPS 203, Key encapsulation / encryption (replaces RSA/ECC for key exchange) |
ML-DSA (CRYSTALS-Dilithium) | FIPS 204, Digital signatures (replaces RSA/ECDSA for signing) |
SLH-DSA (SPHINCS+) | FIPS 205, Stateless hash-based digital signatures |
FN-DSA (FALCON) | FIPS 206 (pending), Compact lattice-based digital signatures |
These algorithms are based on mathematical problems, lattice problems, hash functions, code-based problems, that are believed to be resistant to both classical and quantum attacks. They are the foundation of the post-quantum migration.
Quantum Key Distribution (QKD)
Quantum Key Distribution is a hardware-level approach to secure key exchange. It uses the physical properties of quantum mechanics (specifically, the no-cloning theorem) to detect any eavesdropping on a communication channel. If someone intercepts the key, the quantum state changes and both parties are immediately alerted.
QKD is extremely secure in theory. However, it requires specialized hardware, physical fiber links or satellite connections, and remains expensive and impractical for most organizations at scale. It is better viewed as a complement to PQC rather than a replacement.
What Should Your Organization Do Right Now?
The transition to post-quantum security is not something you do overnight. But every organization, regardless of size, can take steps today. Here is a practical, prioritized action plan:
Step 1: Conduct a Cryptographic Inventory
Before you can fix your exposure, you need to know where your encryption lives. Conduct a full audit of:
- All software systems that use encryption (web apps, APIs, databases, VPNs)
- All communication channels (email, messaging platforms, video conferencing)
- All stored data that is encrypted at rest
- All cryptographic libraries, certificates, and key management systems
- Third-party vendors and supply chain partners who handle your encrypted data
Step 2: Classify Data by Sensitivity and Shelf Life
Not all data is equally at risk. Prioritize based on two factors: how sensitive is the data and how long does it need to remain confidential? Data that must remain secret for 10+ years is at high risk and should be prioritized for re-encryption with PQC algorithms.
Step 3: Begin Planning Your Crypto-Agile Architecture
Crypto-agility means building systems that can switch encryption algorithms quickly and with minimal disruption. Rather than hard-coding a single encryption algorithm into your systems, design for flexibility. This is the most important long-term architectural decision your organization can make.
Step 4: Deploy NIST-Approved Post-Quantum Algorithms
Begin integrating NIST’s approved PQC algorithms into new systems and high-priority existing systems. Start with:
- TLS 1.3 implementations that support hybrid key exchange (classical + PQC combined)
- VPN infrastructure upgrades to PQC-compatible tunneling
- Email encryption systems (replacing PGP/S-MIME with PQC alternatives)
- Code signing certificates updated to PQC signature schemes
- PKI (Public Key Infrastructure) root and intermediate CA migration
Step 5: Work with Vendors and Review the Supply Chain
Your organization’s security is only as strong as your weakest vendor. Audit your technology vendors and cloud providers for their PQC migration timelines. Ask specifically:
- Are your TLS implementations being upgraded to support PQC key exchange?
- What is your timeline for supporting FIPS 203 and FIPS 204?
- How are you handling backward compatibility during the transition period?
Step 6: Train Your Security and Development Teams
Post-quantum cryptography introduces new concepts, new libraries, and new failure modes. Your developers and security engineers need training on PQC implementation best practices, including common pitfalls like incorrect hybrid mode implementation and key size misconfigurations.
Step 7: Monitor and Stay Current
Post-quantum cryptography is still evolving. Follow NIST’s ongoing PQC work, monitor the National Cybersecurity Center of Excellence (NCCoE) migration guidance, and subscribe to threat intelligence feeds that track quantum-related developments from state actors.
The Regulatory and Compliance Angle
For organizations operating in regulated industries, post-quantum readiness is increasingly a compliance requirement, not just a best practice.
- U.S. Federal Agencies: NSM-10 (National Security Memorandum 10, 2022) and OMB M-23-02 mandate federal agencies to inventory cryptographic systems and begin PQC migration. Agencies are required to submit migration plans to CISA.
- Financial Services: The Financial Stability Oversight Council (FSOC) has identified quantum computing as an emerging systemic risk. The SEC and federal banking regulators have issued guidance on technology risk including quantum-related threats.
- Healthcare: HIPAA’s security rule requires implementation of the latest technology standards. Post-quantum readiness is increasingly expected in HHS cybersecurity guidance.
- Defense Contractors (CMMC): Under the Cybersecurity Maturity Model Certification (CMMC) and DFARS regulations, defense contractors must meet evolving cryptographic standards. NIST SP 800-171 is being updated to reflect PQC requirements.
- Canada (PIPEDA / Bill C-27): The proposed Canadian Consumer Privacy Protection Act includes provisions for data security that regulators are expected to interpret in the context of quantum threats.
Regulatory timelines are accelerating. If your organization handles government data, critical infrastructure, or regulated personal data, post-quantum compliance should already be on your board’s agenda.
What Small and Mid-Sized Businesses Need to Know
You might think harvest now, decrypt later attacks only target governments and large enterprises. Think again. Small and mid-sized businesses (SMBs) are often targeted precisely because they are connected to larger organizations through supply chains, share sensitive client or patient data, and have weaker defenses.
Here is what SMBs should prioritize:
- Switch to TLS 1.3 everywhere, TLS 1.3 is more secure and supports modern cipher suites. Ensure all web servers, APIs, and internal services use TLS 1.3.
- Use AES-256 for file encryption and data at rest, This is achievable today with standard tools and provides better quantum resistance than AES-128.
- Choose cloud and SaaS vendors with published PQC roadmaps, Your cloud storage, email, and SaaS tools are handling your encrypted data. Ask your vendors about their PQC plans.
- Work with your MSP or IT security partner, If you outsource IT, make sure your managed service provider is aware of PQC requirements and planning accordingly.
- Do not store sensitive long-lived data in old systems, Legacy systems with outdated encryption are prime targets. Archive and re-encrypt sensitive data using current standards.
Conclusion: The Quiet Race Against Quantum
The harvest now, decrypt later quantum threat is not a science-fiction scenario. It is an active, documented strategy being carried out right now by sophisticated state-sponsored actors who are betting on a quantum future that may be closer than most people think.
Your data does not have to be decrypted today for it to be stolen today. That is the trap. The encryption you rely on for protection is a countdown clock, not a permanent lock.
The organizations that act now, that inventory their cryptographic exposure, begin transitioning to NIST-approved post-quantum algorithms, and build crypto-agile systems, will be the ones that survive Q-Day without catastrophic data exposure.
The ones that wait will find out, sometime in the next decade, that everything they thought was locked was actually already stolen. And now it is open.
The transition to post-quantum security starts today. Not after Q-Day.
