Introducing the 2024 PKI & Digital Trust Report     | Download the Report

  • Home
  • Blog
  • PQC
  • Harvest Now, Decrypt Later: A New Form of Attack

Harvest Now, Decrypt Later: A New Form of Attack

PQC

Unless you’re totally new to the quantum conversation, you know that quantum computing promises to unlock revolutionary advances across various industries. On the other hand, quantum-relevant computers will break the modern methods we use to encrypt information — putting the sensitive data for every public and private organization at risk. 

With quantum still years away, the question becomes, “Why prepare now?” 

Of course, organizations face problems that seem more business-critical or generally more urgent. But while businesses may wait to start preparing, hackers and bad actors are already making moves. They are stealing massive amounts of encrypted data and shelving it until quantum capabilities become available and allow them to decrypt that data. Included in this data are sensitive details such as customer information, personal financial details, and confidential corporate information.

Organizations should not underestimate the potential consequences of these Harvest Now, Decrypt Later (HNDL) attacks.

Who is stealing what?

Many technical experts see quantum computers at least a decade away. Even when they do arrive, obtaining one won’t be like replacing your laptop. Quantum computers will be complex and resource-intensive to operate.

Most likely, Harvest Now, Decrypt Later attacks are being conducted by nation-state actors. Until quantum computing becomes available, it will be difficult to surmise if these attacks are happening or have happened. However, several incidents have occurred over the past 10 years that resemble a HNDL attack.

  • In 2016, it was discovered that Canadian internet traffic to South Korea was being rerouted to China. In 2019, a similar incident took place in Europe around mobile phone traffic.
  • In 2020, data from Google, Amazon, Facebook, and over 200 other networks was redirected through Russia. Russia has also rerouted internet traffic from Ukraine during the Russo-Ukrainian War.


You may say, “But my organization doesn’t have data on covert military actions or schematics for the next generation of fighter jets.” That may be true, but the line between nation-state espionage and corporate espionage is blurrier than you might think. 

A study by HP’s Wolf Security found that between 2017 and 2020, about a third of cyber attacks conducted by nation-states were aimed at enterprise businesses. China and other nations frequently steal U.S. technology and intellectual property, from GE’s turbines to Tesla’s self-driving technology, from Huntsman’s proprietary chemicals to the latest AI secrets.

Big companies work on big things that influence the infrastructure on which our society’s daily life depends. Whether foreign attackers hope to steal these secrets to benefit their own people or to wield them against their enemies, they will go to great lengths to obtain them.

What to protect and how?

Remember, encrypted data stolen now will sit on the shelf for at least a few years. Many types of data will expire or become irrelevant by the time they can be decrypted. Then there’s the resource expenditure of decrypting the data, meaning the data must provide an ROI to the attacker. In other words, not all data will be worth the trouble. However, with HNDL, all data traveling across the internet is being stored for late decryption and, therefore, will be seen in the future.  The value of that data may not currently be predictable.  

At the moment, trade secrets, business intelligence, and emerging technologies are the most at-risk data. Industries with long production cycles and significant R&D operations should take precautions against HNDL attacks. Self-driving cars and new pharmaceutical developments are a few examples.

Ask yourself, what data will still be sensitive in five years? 

To guard against HNDL, organizations should work to become more crypto-agile.

To get ahead, organizations must first get up to speed regarding their current cryptography and public key infrastructure. A well-architected and well-managed PKI will make it easy to switch to quantum-resistant algorithms when NIST solidifies guidelines around those algorithms. 

  • Make sure you’re using current protocols and strong keys. 
  • Gain visibility and enable proactive discovery of all cryptographic assets.
  • Reduce PKI sprawl and centralize certificate management.
  • Start exploring tools that have already embraced quantum-resistant encryption, like Signal

There is no opting out of quantum

HNDL attacks are just one example of how quantum computing stands to affect all organizations, even those with no plans to pursue quantum-powered innovation. 

Like a tidal wave, you can’t wait until it hits your shores to start preparing. The risks go beyond integration and ecosystem compatibility. Not to mention the human challenge of finding people who understand what a quantum world entails and upskilling the people you already have. 

Most organizations simply aren’t ready to adapt. They’re stuck in the pre-requisite phase of gaining visibility and control over cryptographic assets, modernizing their PKI, and driving organization-wide policies and procedures. 

The best time to start preparing was five years ago. The next best time is right now.