HNDL
PQC
Key Distribution
A silent heist is underway, and the prize is almost every encrypted byte that’s been sent over the internet. Beneath the surface of the more well-known threats, such as ransomware or phishing scams, lies a quieter and more calamitous crisis that’s slowly looming in the background: the threat of Harvest Now, Decrypt Later (HNDL). It may not have the same menacing ring as do so many of the threats we’re accustomed to seeing in articles, but it’s a cybersecurity time bomb – so why is no one talking about it?
What is Harvest Now, Decrypt Later?
At its core, the HNDL threat is a long-game approach being employed by sophisticated cybercriminals and nation-state actors aiming to harvest encrypted – yes, encrypted – data today and store it for use at a later date. The concept is simple: bad actors are actively storing encrypted data while they patiently wait for quantum computing to break modern encryption, allowing them to decrypt these troves of data in the future. The day when this all happens, known colloquially to security professionals around the world as Q-Day, is advancing upon us – and faster than many might think. Many modern security professionals agree that Q-Day is only about 5-10 years out. And once that technological leap happens, adversaries will be equipped with the tools to decrypt data retroactively, breaking even the strongest encryption algorithms like RSA, AES and elliptic curve cryptography (ECC) in an instant. The backbone of all internet security relies on these algorithms to secure data and communications, thanks to the sheer mathematical complexity involved. However, quantum computers, which leverage advanced principles of quantum mechanics, will soon have the computing capability to break these algorithms in minutes or even seconds. This means that information encrypted today – think government secrets, financial records, personal health data, or corporate intellectual property – could be exposed in less than a decade, all in one fell swoop: Q-Day.
How Much Is Already at Stake?
The threat of HNDL isn’t hypothetical: it’s happening now. Sophisticated cybercriminals and adversary groups are stockpiling hoards of data and information on a daily basis. Cybercrime organizations are running massive extraction operations where every secure email, VPN session or encrypted file transfer is fair game. It isn’t a question of if they’re collecting – it’s how much do they already have? Hostile governments are very likely sitting on a decade’s worth of secure data and intercepted messages, waiting for the day quantum computers turn it into a geopolitical gold mine. This isn’t just a problem for governments or enterprise-level corporations. Everyday individuals are at risk as well. All your encrypted backups, banking sessions, private messages & confidential information could be sitting with adversaries betting on the decryption capabilities of the near future. The HNDL crisis blurs the line between present security and future vulnerability, making it a uniquely dangerous threat.
Why Aren’t We Talking About This?
Despite the true gravity of the HNDL crisis, the threat still remains under-discussed for several reasons. First, quantum computing still feels like science fiction to many. While companies like IBM, Google, and Rigetti are making strides in quantum research, achieving a fully functional, commercially viable quantum computer capable of breaking modern encryption is still likely some years away. This perceived distance gives many a false sense of security – why worry about something that isn’t an immediate threat? Second, the cybersecurity industry is largely occupied with threats that have immediate, realized impacts like ransomware attacks, operational technology crimes & data breaches that lock up resources or expose millions of passwords on the dark web. HNDL, by contrast, is a slow burning threat that doesn’t warrant flashy headlines or a clear lineage of affected victims. We are deeply invested in security models that assume encryption is permanent. However, the encryption algorithms used throughout the internet today do have an expiration date. Lastly, one of the main reasons it seems few are talking about it is because cybersecurity is still largely reactive, and the threat of quantum computing requires a proactive approach to strengthening security postures. Securing data today requires a certain level of forward-thinking that most compliance and standardized frameworks haven’t incentivized. For CISOs and key decision makers everywhere, the question is no longer whether the threat of quantum computing and HNDL is real — but whether they will act in time. The next generation of cybersecurity leadership will be defined not by how they responded to the threats of yesterday, but by how they anticipated the ones no one was talking about. The choice is binary: reinforce the illusion of safety or confront the uncomfortable future head-on — and help shape the infrastructure that will protect the digital world for decades to come.
What Can Be Done?
Addressing the HNDL crisis requires a multi-pronged approach, and the good news is that solutions are in motion—though they need more urgency and adoption.
Post-Quantum Cryptography (PQC): Researchers have been developing new encryption algorithms resistant to quantum attacks. These “post-quantum” algorithms rely on mathematical problems, like lattice-based cryptography, that even quantum computers find theoretically difficult to solve. The National Institute of Standards and Technology (NIST) is in the process of actively standardizing PQC algorithms, with the first 3 finalized sets published in mid 2024. Organizations should start transitioning to these standards as soon as possible, especially for data with long-term sensitivity.
Strengthened Key Distribution: In the post-quantum world, security hinges not just on PQC algorithms, but the actual distribution of quantum-resistant, symmetric keys. Traditional methods of key exchange, even those most common today, assume that the underlying public key infrastructure is secure. However, that assumption begins to fail as quantum advancements threaten to break the mathematical foundations of RSA, Diffie-Hellman & ECC. It is imperative organizations start adopting new frameworks for key distribution that offer unequivocal protection against the emerging threat of quantum computers.
Awareness and Policy: Governments and industries need to prioritize HNDL as a national security issue. Incentives for adopting quantum-resistant technology, funding quantum resistant research, and private and public education campaigns can easily accelerate preparedness for organizations and agencies alike.
There’s Still a Path Forward
The threat of Harvest Now, Decrypt Later is a reminder that cybersecurity isn’t just about protecting the present, but about safeguarding the future. Every encrypted byte transmitted today is a potential liability tomorrow. If organizations and key decision makers fail to act now, the cost of inaction can be grave and permanent. The geopolitical, economic, and personal fallout of Q-Day may be staggering without the proper proactive security implementation. However, by embracing post-quantum cryptography, key distribution, refined data practices, and improved awareness, we can defuse this time bomb before it explodes. The HNDL crisis may not dominate headlines yet, but it’s a storm gathering on the horizon and the time to act is now.