The Harvest Now, Decrypt Later Threat: Why Your Data Is Already at Risk

Somewhere, right now, an encrypted data stream is being copied to a storage array. The data is encrypted. The encryption is strong by current standards. The entity copying it cannot read it today. But they are not copying it to read today. They are copying it to read in ten years, when a quantum computer will make the encryption irrelevant.

This is not speculation. It is the documented operational practice of multiple nation-state intelligence agencies, and it has been ongoing for years. The harvest-now-decrypt-later (HNDL) threat is the most important and least understood element of the quantum computing risk landscape.

The Mechanics of the Attack

Every encrypted communication that traverses the internet can be intercepted at multiple points: fiber optic taps at submarine cable landing stations, mirrors at internet exchange points (IXPs), lawful intercept capabilities at ISPs, and compromised network equipment anywhere in the path.

The interception is passive. The adversary does not modify the traffic, does not alert the sender or receiver. They copy the encrypted data as it flows past. The copy is stored on commodity storage costing a few thousand dollars per petabyte.

The attack proceeds as follows. During a TLS handshake, the client and server exchange public key parameters in the clear (an RSA public key, an ECDHE public key). The adversary records these parameters along with the encrypted application data. Later, a quantum computer computes the private key from the public parameters (factoring RSA or computing the ECDH discrete logarithm). With the private key, they derive the session key and decrypt all application data.

Who Is Doing This

The United States, China, Russia, the United Kingdom, France, Israel, and several other nations operate signals intelligence programs with the capability and motivation to collect encrypted traffic at scale. The NSA's upstream collection programs intercept traffic from fiber optic backbone links. China's intelligence services operate similar programs. Russia's SORM provides ISP-level interception.

The collection is bulk, not targeted: vacuum up everything through a given fiber link, sort later. A year of traffic from a major financial institution might occupy a few petabytes, costing less than $100,000 to store -- functionally free for a nation-state budget.

What Data Is Most Vulnerable

Government classified information: No expiration date on classification. Intelligence assessments created today will still be classified when quantum computers arrive.

Healthcare data: Patient medical records, genetic information, and mental health records are sensitive for the patient's entire lifetime. HIPAA has no time limit on PHI protection obligations.

Legal communications: Attorney-client privilege is indefinite. A breach can waive privilege retroactively across entire subject matters.

Financial data: Trading strategies, merger communications, settlement patterns, and customer financial data have sensitivity horizons measured in years to decades.

Biometric data: Fingerprints, facial geometry, iris patterns, and voiceprints are sensitive for life and cannot be changed if compromised.

The Timeline Question

The most common objection is timeline uncertainty. No one knows when a cryptographically relevant quantum computer (CRQC) arrives. Estimates range from 2030 to 2040.

This uncertainty is precisely why HNDL is urgent. From the adversary's perspective: collecting is cheap, and the payoff is enormous regardless of when the CRQC arrives. Their optimal strategy is to collect everything -- which is exactly what they are doing.

From the defender's perspective: if your data must remain confidential for more than 10 years, it is at risk today, because any reasonable CRQC timeline estimate includes arrival within 10 years.

What You Can Do Today

The single most effective countermeasure is hybrid post-quantum key exchange. Combining X25519 with ML-KEM-768 ensures that data transmitted over hybrid TLS cannot be decrypted by a future CRQC. Hybrid key exchange can be enabled on most web servers with a TLS library upgrade and configuration change. Chrome, Firefox, and Safari all support it. The bandwidth cost is approximately 2 KB per handshake. There is no credible technical reason to delay.

For data already at rest, post-quantum attestation provides immutable integrity records. While attestation does not prevent decryption of already-encrypted data, it provides provenance proof that cannot be forged by a quantum adversary. This is critical for audit trails, compliance records, and any data where integrity matters.

The HNDL threat is not future. It is present-tense, ongoing. Every TLS session using classical-only key exchange adds to the stockpile. The fix exists. It is tested. It is deployed in major browsers. Enable it today, because the data you transmit without it is data you cannot protect retroactively.