As quantum computing leapfrogs at great speed, the spotlight is now on post-quantum cryptography (PQC). Recently, NIST released the first three PQC encryption algorithm standards, urging organizations to test the new algorithms and prepare their cryptographic infrastructures for the inevitable shift to quantum-resistant methods. This push for PQC readiness is driven by a growing concern over the threat of “Harvest Now, Decrypt Later” (HNDL) attacks.
According to the latest forecasts, “Q-Day”—the day when quantum computers will have the power to crack widely used encryption algorithms—could arrive as early as 2035, within a decade. And when it does, it will arm threat actors with the superpower to unleash decryption on a massive scale using the HNDL tactic, shaking the foundations of data security.
What’s more alarming is the news that bad guys are already hoarding sensitive data, waiting for the moment quantum computers can break current encryption methods. For this reason, it is important for organizations to understand the nature of this threat and start building the defenses needed to shield business-critical data from HNDL attacks.
What Are “Harvest-Now, Decrypt-Later” Attacks?
A “harvest-now, decrypt-later” attack is a strategy in which a threat actor simply collects and stores encrypted data today with the intent of decrypting it with a sufficiently powerful quantum computer (when it is available) in the future.
Experts believe that these attacks are mainly being carried out by nation-state actors, targeting sensitive information that remains valuable over time, such as government secrets, bank account information, healthcare records, personally identifiable information (PII), and corporate intellectual property. The attackers may not be able to decrypt the data immediately, but they can intercept communications, steal encrypted data, and store it until they have a powerful quantum computer to break the encryption protecting it.
The driving force behind these attacks is quantum computing’s potential to break today’s widely used public-key encryption algorithms. Virtually all of today’s secure Internet traffic, email communications, databases, and software are protected by encryption algorithms like RSA, ECC, and Diffie-Hellman. These methods are currently secure because cracking them would take many, many years for even the most powerful supercomputers available today. However, with its unparalleled processing power, a CRQC (Cryptographically Relevant Quantum Computer) will be able to break these encryption methods using algorithms like Shor’s in a matter of seconds or minutes. This is the ability that threat actors are counting on. So, amassing valuable encrypted data today is a logical step towards gaining access to it in the future.
In its recently published report on post-quantum cryptography, the Office of Management & Budget (OMB), recognizes “harvest-now, decrypt-later” attacks as a serious threat and considers it as one of the primary precepts for the federal government’s PQC migration strategy.
Why Should You Worry About “Harvest-Now, Decrypt-Later” Attacks Now?
It’s easy to dismiss “Harvest-Now, Decrypt-Later” (HNDL) attacks as a threat relevant only to nation-state espionage targeting classified government documents, national security secrets, or sensitive economic information. Many businesses mistakenly assume they are not at risk. However, this assumption only feeds a false sense of security.
The history of cyberattacks, including the ones on Adobe (2013), Sony (2014), Equifax (2017), Marriott (2018), SolarWinds (2020), and Colonial Pipeline (2021), have made it clear that no sector is immune to cyberattacks. Threat actors are increasingly focusing on corporate intellectual property (IP) and critical enterprise data. In fact, for bad actors, corporate information is just as valuable as government secrets, offering opportunities for large-scale service disruption, economic chaos, and even geopolitical gains.
What makes enterprise businesses particularly vulnerable to HNDL attacks is the long-term value of their data. Sensitive customer information, proprietary research, and intellectual property can remain relevant and valuable for decades. If this data is harvested today, the damage caused by its exposure—even many years later—could be catastrophic. After all, data is the new gold!
One of the most insidious aspects of HNDL attacks is that you won’t know when your data has been stolen. Threat actors can capture encrypted data now and decrypt it years later once quantum computers allow them to do so. By then, the damage is irreversible.
While not all data will retain value over time, and the cost of storing large volumes of data over years is not feasible for attackers, the threat persists. Attackers are becoming more strategic, targeting specific data payloads they know will be valuable in the future. While the costs of storing vast amounts of data over many years may deter some, decrypting highly sensitive information later can be a worthwhile payoff. This is why it’s critical to safeguard your data and communications now rather than waiting until it’s too late.
What Can You Do to Protect Your Data?
To get ahead, you must start preparing your public key infrastructure (PKI) and cryptographic systems for the transition to post-quantum cryptography. PQC algorithms are designed to withstand quantum computing attacks and offer long-term security against HNDL threats.
As part of the preparation, you must first gain visibility into all your cryptographic assets. By leveraging automated discovery tools, create a consolidated inventory of all the cryptography deployed across your infrastructure, forming what is known as a Cryptographic Bill of Materials (CBOM). This inventory is essential for understanding your exposure and developing a strategy for PQC readiness.
AppViewX can help you implement crypto-agility and start preparing today for Post-Quantum Cryptography
Not all data is equally valuable. Analyze your inventory to identify high-value systems and data that must be secure for a decade or more. When it’s time to transition to PQC, start with these systems to minimize the window of risk.
Quantum key distribution (QKD) is an emerging solution designed to establish highly secure communication channels that can withstand both classical and quantum attacks. Although still in its infancy, QKD holds significant potential for protecting sensitive, long-term data.
The other option is to use a quantum-safe virtual private network (VPN). It helps protect data in transit, preventing exfiltration and eavesdropping. This, too, is in early stages of development. But you must plan to adopt it once it’s ready.
To navigate PQC transition effectively, build crypto-agility into your systems. It helps you with the adaptability required to migrate high-risk systems to PQC quickly, seamlessly, and at scale. Automate certificate lifecycle management (CLM) and enforce policy control to enable crypto-agility, so you can rapidly adopt new cryptographic standards as they evolve, even beyond PQC.
Preparing Today to Protect Against “Harvest Now, Decrypt Later” Attacks Is Not Just Prudent—It’s Essential.
Preparing for post-quantum cryptography might seem like a stretch now, given there are many other pressing concerns to be addressed today. Unfortunately, a wait-and-see approach is not an option with quantum computing. The threat posed by “harvest now, decrypt later” (HNDL) attacks is real and is bound to affect every organization, big and small, in some way or the other. If your organization handles sensitive customer data or proprietary information with a long shelf life, you must take proactive steps to safeguard it from exposure. Waiting until quantum computers are fully operational is a risk not worth taking when it comes to attacks like HNDL.
How AppViewX Can Help You Prepare for Post-Quantum Cryptography
- AppViewX PQC Test Center: A dedicated free online resource built to help organizations assess their PQC readiness by generating and testing quantum-safe certificates prior to their integration into existing systems, workloads and machines. You can quickly set up your own quantum-safe PKI hierarchy and generate PQC ready certificates and keys to test their compatibility in your environment. Visit the AppViewX PQC Test Center and begin your PQC journey today.
- PQC Certificate Lifecycle Management: The AppViewX AVX ONE platform offers a comprehensive certificate lifecycle management solution to help enable PQC readiness and crypto-agility with complete certificate discovery and inventory, full certificate lifecycle automation, and total certificate control across the enterprise.
Explore Post-Quantum Cryptography with AppViewX today. Request a demo from one of our experts.