Harvest Now, Decrypt Later: Why Your Encrypted Data Is Already at Risk

What Is Harvest Now, Decrypt Later?

The concept is straightforward. RSA, elliptic-curve cryptography (ECC), and Diffie-Hellman key exchange protect virtually all encrypted data in transit and at rest today. These algorithms rely on mathematical problems, specifically integer factorization and discrete logarithms, that classical computers cannot solve in practical time. Quantum computers running Shor's algorithm can solve them efficiently. Once a quantum machine with enough stable, error-corrected qubits exists, every piece of data encrypted with these algorithms becomes readable.

Adversaries understand this timeline. Rather than waiting for quantum computers to arrive and then trying to intercept data, they are collecting encrypted data now. They tap undersea fiber optic cables. They exfiltrate encrypted database backups. They record VPN traffic at network boundaries. They copy encrypted email archives and cloud storage snapshots. The encrypted data sits in storage, sometimes for years, until quantum decryption capability becomes available.

This is not speculation. Intelligence agencies from multiple nations have publicly acknowledged the practice. The U.S. National Security Agency published CNSA 2.0 guidance specifically because HNDL creates a present-tense risk for data with long confidentiality requirements. Google's March 25, 2026 blog post setting a 2029 PQC migration deadline cited HNDL as a primary motivator.

Why HNDL Matters Right Now, Not in 2030

The critical variable in an HNDL attack is not when quantum computers arrive. It is the confidentiality lifetime of the data being targeted.

If the confidentiality window of your data exceeds the estimated time until CRQCs become operational, that data is already at risk. With expert estimates placing CRQC arrival between 2030 and 2040, and Google's internal estimate targeting 2029, any data that must remain confidential past 2030 is in the HNDL threat window today.

This is not just a problem for governments and Fortune 500 companies. Defense contractors handling Controlled Unclassified Information (CUI) under CMMC requirements face immediate exposure. Healthcare organizations subject to HIPAA hold patient records that must remain protected for decades. Law firms, financial institutions, pharmaceutical companies, and manufacturers with long-lived intellectual property are all targets.

Who Is Conducting HNDL Attacks?

HNDL is primarily a nation-state activity because it requires two things most criminal organizations lack: patience and massive storage infrastructure. The payoff comes years from now, which makes it unattractive for financially motivated attackers seeking quick returns. But for intelligence services with long planning horizons and virtually unlimited storage budgets, HNDL is a rational strategy with an asymmetric payoff.

The threat actors most commonly associated with HNDL collection include:

• State intelligence services with access to network infrastructure, undersea cable taps, and ISP-level intercept capabilities. Multiple countries have acknowledged or been documented conducting bulk encrypted traffic collection.
• Advanced persistent threat (APT) groups that exfiltrate encrypted database backups, email archives, and cloud storage during intrusions. Even when responders determine that "only encrypted data was taken," HNDL changes the risk calculation entirely.
• Supply chain compromise operators who position themselves to intercept encrypted communications at chokepoints: CDN providers, managed security services, cloud interconnects, and certificate authorities.

The economics favor the attacker. Storage costs continue to drop. A petabyte of storage, enough to hold years of intercepted encrypted traffic from a mid-size organization, costs under $20,000 today. The cost of quantum decryption, once available, will decrease over time as the technology matures.

What Quantum Computing Changes About Encryption

What breaks: RSA, ECC (ECDSA, ECDH), Diffie-Hellman, and DSA. These algorithms protect TLS/SSL connections, VPN tunnels, SSH sessions, email encryption (S/MIME, PGP), code signing, and certificate-based authentication. Shor's algorithm solves the underlying mathematical problems efficiently on a quantum computer.

What remains secure: Symmetric encryption like AES-256 and hash functions like SHA-384. Grover's algorithm gives a quadratic speedup against symmetric keys, effectively halving their bit strength. AES-256 becomes equivalent to AES-128 against a quantum attacker, which is still computationally secure.

The HNDL threat specifically targets the asymmetric layer. When an adversary records a TLS session, they capture the key exchange (typically ECDHE) and the encrypted data stream. Today, breaking the ECDHE key exchange is infeasible. With a CRQC, it becomes trivial. The session key is recovered, and all data from that session is exposed.

This is why post-quantum cryptography focuses on replacing public-key algorithms. NIST finalized three PQC standards in August 2024:

• ML-KEM (FIPS 203), based on CRYSTALS-Kyber, for key encapsulation (replacing ECDHE and RSA key exchange)
• ML-DSA (FIPS 204), based on CRYSTALS-Dilithium, for digital signatures (replacing ECDSA and RSA signatures)
• SLH-DSA (FIPS 205), based on SPHINCS+, as a hash-based signature alternative for highest-assurance use cases

The Compliance Clock Is Ticking

For defense contractors, the NSA CNSA 2.0 January 2027 deadline is less than nine months away as of March 2026. Organizations in the CMMC ecosystem should expect post-quantum requirements to appear in future assessment criteria. Healthcare organizations should monitor the proposed HIPAA encryption rule expected around May 2026.

How HNDL Changes Your Incident Response Calculus

HNDL fundamentally alters how organizations should assess data breaches. Traditionally, when an adversary exfiltrates encrypted data without obtaining the decryption keys, the breach is considered lower severity. Many organizations have reported breaches with language like "only encrypted data was accessed" to minimize regulatory and reputational impact.

HNDL eliminates that comfort. Encrypted data exfiltrated today may become plaintext tomorrow. This has concrete implications:

• Breach notification timelines may need to account for future quantum decryption risk, not just current decryption capability.
• Data retention policies need revision. Every additional year of encrypted data you retain is another year of HNDL-exposed material if the keys are RSA or ECC-based.
• Cyber insurance policies may begin excluding quantum-related losses or requiring PQC migration as a condition of coverage.
• Third-party risk assessments should evaluate vendor PQC readiness, not just their current encryption strength.

What Small and Mid-Size Businesses Should Do First

SMBs do not need a multi-year, multi-million-dollar migration program to address HNDL. The first three actions are accessible at any budget level:

1. Inventory your encryption. List every TLS certificate, VPN endpoint, and encrypted data store. Identify which use RSA or ECC key exchange. Free tools like SSL Labs and OpenSSL can scan your external endpoints in hours.
2. Identify your longest-lived secrets. What data in your environment must stay confidential the longest? Client records, financial data, intellectual property, and employee PII are common candidates. If any of these must remain confidential past 2035, you have HNDL exposure.
3. Talk to your IT provider. Ask them specifically about post-quantum cryptography migration planning. If they cannot articulate a roadmap, consider working with a provider that can.

The Cost of Waiting

The SHA-1 to SHA-2 migration, a comparatively simple hash algorithm swap, took the industry over a decade. Post-quantum migration is more complex by an order of magnitude because it affects key exchange, digital signatures, authentication, PKI hierarchies, code signing, and device firmware. Organizations that start now can spread the cost across 3 to 5 budget cycles, pilot incrementally, and avoid the operational risk of a rushed cutover.

Organizations that wait until CRQCs are publicly demonstrated will face a compressed timeline with premium consulting costs, emergency vendor upgrades, and the knowledge that years of their encrypted data is already in adversary hands, waiting to be decrypted. The HNDL clock started years ago. Every month of delay is another month of encrypted communications and backups added to the adversary's stockpile.

Updated March 2026. Compliance timelines current as of publication date.