Every TLS handshake your browser completes today carries an invisible expiration date. The encrypted session itself is secure against current attackers, but the ciphertext leaving your network can be copied, archived, and held indefinitely. When a sufficiently powerful quantum computer arrives — most credible estimates now place this between 2030 and 2040 — much of what was stored will become readable. This is harvest-now-decrypt-later (HNDL), and it is the rare cybersecurity threat that is unfalsifiable from the defender’s side: there is no log entry, no IOC, no breach notification. The data is gone the moment it crosses the wire.
The threat is treated as active by the NSA, CISA, NIST, the UK’s NCSC, the EU’s ENISA, and Australia’s ACSC. The US Office of Management and Budget cited HNDL as a primary justification for the federal post-quantum migration strategy in July 2024. What follows is what’s actually being collected, who is doing the collecting, and why the migration deadline is closer than the quantum timeline suggests.
What Harvest-Now-Decrypt-Later Actually Means
HNDL — also called store-now-decrypt-later or retrospective decryption — describes a strategy rather than a single technique. An adversary positions itself on a network choke point, mirrors encrypted traffic to long-term storage, and waits. The attacker does not need to break anything today. They need bulk capture capability, cheap storage, and patience.
The cryptographic premise is Shor's algorithm, published by Peter Shor in 1994. Shor demonstrated that a quantum computer can factor large integers and compute discrete logarithms in polynomial time, which destroys the security assumptions behind RSA, ECDH, and ECDSA — the asymmetric primitives that secure essentially every TLS handshake, SSH login, signed software update, and certificate chain in production today. Symmetric encryption like AES-256 survives quantum attacks with reduced but still adequate margins. The vulnerability is concentrated almost entirely in the key exchange.
A practical attack on RSA-2048 is estimated to require roughly 4,000 error-corrected logical qubits running for hours to days. The largest publicly demonstrated logical qubit counts as of early 2026 sit in the double digits. The gap is real, but it is closing, and the storage side of the equation has no such barrier — petabyte archiving is already commodity infrastructure.
Who Is Actually Collecting
Attribution at this scale is rarely confirmable in open sources, but the candidate list is short and the infrastructure is documented. Booz Allen Hamilton’s threat assessment states that Chinese threat groups will likely soon collect encrypted data with long-term utility, expecting to eventually decrypt it with quantum computers. The 2015 OPM breach demonstrated that bulk collection capability already exists at the state level. Russian SVR campaigns including SolarWinds established months-long persistence inside high-value networks. The NSA’s own bulk collection programs were documented in detail by the 2013 Snowden disclosures, and the Utah Data Center remains operational.
Attribution beyond major state actors is harder, but the attack does not require a state. The technical community has documented many large-scale BGP hijacks over the past decade in which sections of global internet traffic were rerouted through adversary-controlled networks. A BGP hijack of even a few minutes against a major exchange yields a meaningful ciphertext archive. Submarine cable taps, satellite downlink interception, and cloud-to-cloud transit monitoring all offer additional collection vectors. The defender has to assume capture; whether any specific session was captured is unverifiable.
What’s Actually at Risk
The simple test is data lifetime. If the confidentiality of a session needs to outlive the cryptographic primitives protecting it, that session is exposed.
High-exposure categories include classified diplomatic and intelligence communications, defense contractor IP tied to weapons systems and aerospace, financial institution trading algorithms and client records, healthcare and genomic data, critical infrastructure control system telemetry, and source code and code-signing keys whose validity must persist for decades. Recent academic modeling of HNDL exposure shows that high-retention sectors such as satellite and health networks face exposure windows extending decades under delayed PQC adoption, while hybrid and forward-secure approaches reduce this risk horizon by over two-thirds.
Low-exposure data exists too. Session cookies expire. Ephemeral chat that’s already been read carries little long-term value. Operational telemetry from short-lived systems is generally fine. The mistake is treating all encrypted traffic as equivalent — the migration math depends on what specific data is in the pipe.
What the Migration Looks Like
NIST finalized the first three post-quantum standards on August 13, 2024: FIPS 203 (Module-Lattice-Based Key-Encapsulation Mechanism, derived from CRYSTALS-KYBER), FIPS 204 (Module-Lattice-Based Digital Signature Standard, derived from CRYSTALS-Dilithium), and FIPS 205 (Stateless Hash-Based Digital Signature Standard, derived from SPHINCS+). The algorithms have been renamed ML-KEM, ML-DSA, and SLH-DSA respectively. A fourth signature standard derived from FALCON — FN-DSA, FIPS 206 — remains in development.
The deployment story is further along than the policy framing suggests. Google Chrome enabled X25519MLKEM768 hybrid key exchange by default in Chrome 131 in November 2024. Signal shipped PQXDH (post-quantum extended Diffie-Hellman) in 2023. Cloudflare and AWS support hybrid TLS in production. The hybrid pattern — combining a classical key exchange like X25519 with ML-KEM in the same handshake — is the de facto interim posture: an attacker has to break both to recover the session key, which gives a margin of safety while the post-quantum algorithms accumulate cryptanalytic scrutiny.
The deadlines that matter for procurement: CNSA 2.0 mandates that all new National Security System acquisitions be CNSA 2.0 compliant by January 1, 2027. The NSA expects full enforcement of CNSA 2.0 across all NSS cryptographic implementations by the end of 2031, with 2035 as the ultimate goal for all US national security systems to be fully quantum-resistant. The G7 Cyber Expert Group issued a statement on January 13, 2026 advancing a coordinated roadmap for post-quantum cryptography transition in the financial sector, and the EU has mandated that Member States develop PQC plans by December 31, 2026.
| Function | Quantum-vulnerable | PQC replacement |
|---|---|---|
| Key exchange | RSA, ECDH, DH | ML-KEM (FIPS 203) |
| Digital signatures | RSA, ECDSA | ML-DSA (FIPS 204) |
| Backup signatures | RSA, ECDSA | SLH-DSA (FIPS 205) |
| Firmware signing | RSA | LMS, XMSS (SP 800-208) |
| Symmetric encryption | AES-128 (margin reduced) | AES-256 (unchanged) |
Why “Wait and See” Fails
The standard objection to migration urgency is that a cryptographically relevant quantum computer doesn’t exist yet, so the threat is theoretical. The objection misreads the timeline.
The relevant heuristic is Mosca’s theorem, articulated by University of Waterloo cryptographer Michele Mosca: if X + Y > Z, you have a problem. X is how long your data needs to stay confidential, Y is how long your migration takes, and Z is when CRQC arrives. For a healthcare provider with 30-year data lifetime needs, a five-year migration project, and a 2035 CRQC arrival estimate, the math fails. The data being encrypted in 2026 is already in the exposure window.
Migration timelines are not software updates. Cryptographic primitives are embedded in HSMs, TLS libraries, certificate authorities, VPN concentrators, code-signing pipelines, smartcards, and protocol handshakes throughout the stack. A serious enterprise migration is multi-year work — inventory, vendor coordination, hybrid pilot, broad deployment, legacy retirement. Organizations starting in 2026 against a 2030 CRQC scenario are already behind the optimistic edge of the curve.
The arrival itself will likely not be announced. If a nation-state achieves the capability to break RSA-2048, it would likely be treated as a strategic intelligence advantage, not a press release. Defenders should not expect a starting gun.
The Honest Defensive Posture
There is no remediation for already-captured ciphertext. Sessions completed before hybrid PQC was enabled are gone — the only question is when an adversary chooses to spend the cryptanalytic budget. The defensive work that matters today is forward-looking:
Build a cryptographic inventory. Most organizations cannot answer “which systems use RSA or ECDH” without a discovery project. CISA, NSA, and NIST jointly published a quantum-readiness factsheet that frames this as the first step. Prioritize systems handling long-lifetime data. Move TLS terminators, VPN concentrators, code-signing infrastructure, and identity providers to hybrid PQC where vendor support exists. Treat crypto-agility — the ability to swap primitives without rewriting application logic — as an architectural requirement, not a future upgrade. And accept that everything currently leaving your network in classical TLS should be assumed to be archived somewhere.
The threat doesn’t need quantum computers to be real today. It needs them to be plausible by the time the data still matters. That bar is already cleared.
