Imagine a scenario where adversaries are quietly gathering encrypted communications, files, intellectual property, medical records, and state-secrets today—knowing that their target can’t read them yet. But when quantum computing matures, they plan to pull those encrypted assets from storage and decrypt them at will. This scenario is no longer purely speculative. It’s known in cybersecurity circles as “Harvest Now, Decrypt Later” (HNDL).
Here’s how it works, why it matters, and what organisations should be doing now to prepare.
How bad actors execute HNDL campaigns?
Step A – Harvesting / Collecting:
Bad actors intercept or exfiltrate encrypted data today through methods such as wiretapping, network breaches, compromised backups, cloud-storage access, or third-party supply-chain compromise. They don’t need to break the encryption immediately—the goal is to capture ciphertext that remains unreadable for now.
Step B – Archival & Storage:
The encrypted data is stored — sometimes for years or even decades — in data-centres, third-party cloud repositories or offline archives, patiently waiting for the technology shift that makes decryption feasible. Organisations rarely monitor for this type of “quiet accumulation” of encrypted data.
Step C – Decryption (later):
When computing power (especially quantum) matures sufficiently to break current cryptographic algorithms (such as RSA, ECC) or when new vulnerabilities are discovered, the archived ciphertext is decrypted, exposing once-protected secrets.
Why the threat is real today, not just tomorrow?
- Many assets need protection long into the future (medical records, intellectual property, government secrets). Even if encryption is strong now, its value could be compromised decades later once quantum tech arrives.
- Organisations often assume “because it’s encrypted today, it’s safe”, but HNDL shows that assumption fails if the encrypted data is captured now.
- Quantum computing is advancing rapidly; though widespread, fault-tolerant quantum computers aren’t yet mainstream, the race is on and adversaries assume the time-lag in cryptographic transition offers them a window.
The quantum leap: Why quantum computing changes the rules?
Classical public-key cryptography (e.g., RSA, ECC) is based on hardness of problems like integer factorisation or elliptic-curve discrete logs. But certain quantum algorithms (e.g., Shor’s algorithm) could render these tasks tractable once quantum hardware reaches scale.
That means encrypted data previously considered “safe” may suddenly become vulnerable to decryption post-quantum. In other words: data harvested today can become tomorrow’s breach.
What types of data are at greatest risk?
- Long-lived data: secrets that remain relevant for many years (state / defence intel, archival medical records, intellectual property).
- Data protected by traditional asymmetric cryptography (RSA, older ECC curves) which may not be quantum-safe.
- Communications or transactions where the confidentiality lifetime extends into the quantum era.
- Databases, backups, logs stored in passive fashion but for which an adversary might later retroactively decrypt.
What organisations should do now?
a) Assume you’re being harvested: Plan as though adversaries are collecting your encrypted data today.
b) Inventory cryptographic assets: Map where encryption is used, which algorithms, key lifetimes, as-at-now vulnerabilities.
c) Prioritise crypto-agility: Ensure you can swap or upgrade cryptographic primitives as standards evolve (especially toward post-quantum cryptography).
d) Transition to quantum-resistant algorithms: Evaluate and adopt standards from National Institute of Standards and Technology (NIST) for post-quantum cryptography, as they become available.
e) Protect data in motion and at rest robustly: Consider encrypted archives, managing key-rollovers, monitoring for abnormal collection or storage behaviour.
f) Consider retention risk: If certain data does not need to remain confidential for decades, shorten retention lifetimes or migrate to stronger protection.
g) Educate stakeholders: Business and board-level awareness is critical. The risk of HNDL is strategic, not just tactical.
Why this matters for your stakeholders?
For your clients in geo-politically sensitive sectors like defence, energy, government, environmental etc. and for your cybersecurity service narrative (secure foundation → future-fit IT platform → emerging technologies), the HNDL model fits precisely into “future-fit” and “transform” phases: assuming threats that may materialise, building capabilities now to mitigate them, and leveraging emerging crypto-tech as part of the transformation.
Final thought
The core message: Just because data is encrypted today doesn’t guarantee it’s safe forever. Risks are being accumulated in the present — quietly, by adversaries harvesting now to decrypt later. Organisations that begin planning their crypto-transition now will have a competitive and security advantage.
Read more: https://cyber.rothian.com/ai-drives-80-of-ransomware-the-new-cyber-arms-race/