What Is Harvest Now, Decrypt Later (HNDL)?

HNDL is not a theoretical threat. Adversaries are actively stealing massive amounts of encrypted data, including customer information, personal financial details, and confidential corporate information, and waiting to have the right tools to unlock it. Unlike traditional cyberattacks that seek immediate exploitation, HNDL attacks are a long game. The payoff may be years away, but the harvesting is happening now.

What makes HNDL uniquely dangerous is that it is passive and largely undetectable. Organizations cannot determine whether their encrypted traffic has been intercepted and stored. There is no breach notification, no immediate indicator of compromise, and no way to retroactively protect data that has already been harvested. All that encrypted information travels in public infrastructure and is free for everyone to see. It remains secret for now, but once quantum decryption becomes available, if the data is protected with classical cryptographic algorithms, it immediately becomes exposed, regardless of how strong the encryption was at the time of capture.

For security leaders and CISOs, HNDL reframes the quantum computing conversation from a future technology initiative to a present-day data protection risk.

How a Harvest Now, Decrypt Later attack works

An HNDL attack unfolds in three stages, each exploiting a different vulnerability in how organizations transmit and protect data.

Stage 1: Intercept encrypted data in transit

Adversaries position themselves to capture encrypted network traffic at scale. Common interception techniques include BGP (Border Gateway Protocol) hijacking, which reroutes internet traffic through attacker-controlled infrastructure; man-in-the-middle (MITM) approaches at major internet exchange points; and compromise of telecommunications infrastructure or undersea cable taps.

The attacker does not need to decrypt anything at this stage. They simply need to capture and store the raw encrypted data stream. Because the data remains encrypted throughout, traditional intrusion detection systems and network monitoring tools do not flag the activity as malicious.

Stage 2: Store the data indefinitely

Once captured, the encrypted data is archived in bulk storage. Storage costs have dropped dramatically over the past decade, making it economically feasible for well-resourced adversaries to warehouse petabytes of encrypted traffic. Nation-states with significant infrastructure budgets can maintain these archives indefinitely.

The data sits dormant, waiting for a technological breakthrough that makes decryption possible.

Stage 3: Decrypt with quantum computing

When a cryptographically relevant quantum computer (CRQC) becomes available, the attacker retrieves the stored data and applies quantum algorithms, such as Shor’s algorithm, to break the asymmetric schemes (such as RSA and Diffie-Hellman) leveraged for the encryption that protected the data. What was once impenetrable becomes fully readable.

This is the critical distinction: the encryption that protects data today is not permanent. It is only as durable as the computational limits of the adversary. Quantum computing removes those limits for asymmetric cryptography.

As alluded above, until quantum computing becomes available, it will be difficult to prove that these attacks are happening or have happened. That is precisely what makes HNDL so insidious.

Who is behind HNDL attacks?

Some of the most likely conductors of Harvest Now, Decrypt Later attacks are nation-state actors. The resources required to intercept, transport, and store massive volumes of encrypted data over years, combined with the patience to wait a decade or more for quantum decryption, make this an operation that well-funded adversaries can sustain.

Even if a nation state is a likely perpetrator, its targets are not only other nation states. According to HP’s Wolf Security study, between 2017 and 2020, about a third of cyberattacks conducted by nation-states were aimed at enterprise businesses, not just government or military targets. The line between nation-state espionage and corporate espionage is blurrier than you might think.

Various nations are known for frequently stealing U.S. technology and intellectual property. High-profile examples span industries: GE’s turbines, Tesla’s self-driving technology, Huntsman’s proprietary chemicals, and emerging AI secrets. These thefts demonstrate that nation-states are already investing heavily in acquiring long-term strategic intelligence from the private sector. HNDL simply adds a quantum-powered decryption capability to an existing playbook.

Why enterprise businesses are targets

Enterprise organizations are attractive HNDL targets for several reasons:

• They transmit large volumes of sensitive data across public networks daily.
• Their intellectual property and trade secrets retain strategic value for years or decades.
• Many operate in industries with long R&D cycles where stolen data remains relevant far into the future.
• Their security postures, while often mature, are designed to detect active exploitation, not passive data harvesting.

Security leaders should not assume that HNDL is limited to defense or intelligence sectors. Any organization that transmits data with long-term strategic value is a potential target.

Real-world examples of suspected HNDL activity

While definitive attribution of HNDL attacks is inherently difficult (the “decrypt later” phase has not yet occurred at scale), several documented incidents over the past decade exhibit the hallmarks of large-scale data harvesting through traffic rerouting:

• 2016: Canadian internet traffic destined for South Korea was rerouted through China, exposing encrypted communications to potential interception by Chinese infrastructure.
• 2019: European mobile phone traffic was rerouted in an incident that raised concerns about nation-state data collection at scale.
• 2020: Data from Google, Amazon, Facebook, and more than 200 other networks was redirected through Russia in a large-scale Border Gateway Protocol hijacking event.
• Russo-Ukrainian War: Russia rerouted internet traffic from Ukraine, a tactic consistent with both real-time intelligence collection and long-term data harvesting.

Each of these incidents involved the redirection of encrypted traffic through nation-state infrastructure. Whether the intercepted data was stored for future quantum decryption remains unconfirmed, but the pattern aligns precisely with the HNDL threat model.

These examples are important because they demonstrate that the “harvest now” phase of HNDL is not speculative. The infrastructure and operational tradecraft for large-scale encrypted data interception already exist and are actively used.

What data is most at risk?

Not all data justifies the effort of an HNDL attack. Many types of data will expire or become irrelevant by the time quantum decryption becomes available. For an HNDL operation to make economic sense, the data must provide an ROI to the attacker years or even decades from now.

The critical question every organization should ask: What data will still be sensitive in five years? In ten? In twenty?

High-value targets for HNDL

The data most at risk includes:

• Trade secrets and business intelligence: 
  Proprietary processes, formulas, strategic plans, and competitive intelligence that retains its value over long time horizons.
• Emerging technologies and R&D: 
  Self-driving car algorithms, new pharmaceutical developments, advanced materials research, and next-generation semiconductor designs. Industries with long production cycles and significant R&D operations should take particular precautions.
• Government and military communications: 
  Classified intelligence, diplomatic correspondence, and defense-related data with multi-decade sensitivity requirements.
• Financial records and contracts: 
  Long-term agreements, M&A documentation, and transaction records with legal and regulatory significance.
• Healthcare and patient data:
   Medical records, clinical trial data, and genomic information that remains sensitive for the lifetime of the individual.

The attacker’s ROI calculation

Adversaries conducting HNDL operations are making a deliberate investment calculation. They are weighing the cost of interception and storage against the expected value of decrypted data years from now. This is why HNDL disproportionately targets data with long shelf lives, because that is where the return exceeds the investment.

Industries with long production cycles, extensive R&D operations, and data that retains strategic value over decades are the primary targets. As the threat landscape evolves, organizations in these sectors need to evaluate their exposure with urgency.

The quantum computing timeline and why it matters now

A common objection to preparing against quantum threats goes like this: “Quantum computers capable of breaking encryption are still years away. Why should we invest in defenses now?”

One answer lies in the asymmetry between the attacker’s timeline and the defender’s timeline that underlies the HNDL attack.

The attacker’s timeline is already underway

Adversaries are harvesting data today. The encrypted data captured in 2024 or 2025 will not lose its encryption immediately. It will sit in storage, and when quantum decryption becomes available, it will be decrypted. The attacker’s clock started years ago.

The defender’s timeline is just beginning

Most organizations have not yet begun their transition to Post-Quantum Cryptography (PQC). That transition involves discovering and inventorying all cryptographic assets, evaluating which systems depend on vulnerable algorithms, testing quantum-resistant replacements, and deploying them across the enterprise. This is not a patch cycle. It is a multi-year infrastructure transformation.

Many technical experts see CRQCs at least a decade away. But the PQC migration itself could take three to five years for a well-prepared organization, and significantly longer for those starting from scratch. Factor in regulatory timelines, vendor readiness, and the sheer complexity of cryptographic dependencies across modern enterprises, and the preparation window narrows considerably.

Device lifespans extend the risk

The problem is compounded in industries where equipment and devices have operational lifespans measured in decades. Telecommunications equipment supporting 5G and 6G networks is designed for 20 to 30 years of operation. Aerospace airframes are built for 40-year service lives. Medical devices in the field may run for 15 years or more. Industrial control systems in critical infrastructure are rarely replaced.

If these devices are deployed today with cryptography that quantum computers will break, they will be vulnerable for the majority of their operational life. The window to embed quantum-resistant cryptography is before deployment, not after.

NIST post-quantum cryptography standards

NIST has finalized its first set of post-quantum cryptography standards, providing the algorithmic foundation for the transition. On the other hand, NSA release the CNSA 2.0, which outlines requirements and concrete deadlines for transition to quantum resistant cryptography. Organizations that wait for quantum computers to arrive before acting will find themselves years behind in a migration that should have already started.

Beyond HNDL: the Trust Now, Forge Later threat

Harvest Now, Decrypt Later targets the confidentiality of encrypted data. But quantum computing poses an equally serious, and potentially more damaging, threat to digital signatures: a concept that security experts are calling Trust Now, Forge Later.

What is Trust Now, Forge Later?

Where HNDL threatens encryption (the ability to keep data secret), Trust Now, Forge Later threatens authentication and integrity (the ability to prove who signed something and that it has not been tampered with). Digital signatures underpin PKI, code signing, firmware validation, contract execution, and identity verification. Quantum computers capable of forging signatures would undermine the entire trust infrastructure that organizations depend on. While signatures cannot be forged retroactively, and therefore trust is only broken after a powerful enough quantum computer exists, the effects that it has in planning and infrastructure are effective today.

The implications for PKI and nonrepudiation

The impact on PKI is profound. Nonrepudiation, the assurance that a signer cannot deny having signed a document, depends on the mathematical difficulty of forging a digital signature. Once quantum computers can forge signatures, nonrepudiation fails. As Keyfactor CSO Chris Hickman has stated, “Nonrepudiation goes on day one.”

This affects:

• Contracts and legal agreements signed with digital signatures that may need to remain valid for decades.
• Firmware updates for IoT devices, medical equipment, and critical infrastructure, where a forged signature could allow malicious code to be installed.
• Identity verification in PKI-based authentication systems.
• Code signing for software supply chain integrity.

Trust is hard to recover. In 2011, the Dutch company DigiNotar was breached into issuing fraudulent certificates, undermining the trust that PKI provides. Once the scope became clear, browsers revoked trust in DigiNotar entirely and the company soon collapsed

Why Trust Now, Forge Later may be more damaging than HNDL

The attacker ROI comparison is stark. An adversary pursuing HNDL must harvest, transport, and store terabytes of encrypted data, then wait years for quantum decryption, all for an uncertain payoff. An adversary pursuing Trust Now, Forge Later needs to break a comparatively small number of roots of trust to undermine entire certificate hierarchies. The comparison between breaking 50 roots of trust and harvesting terabytes of data is not even a challenge from the attacker’s perspective.

Public certificates are particularly vulnerable because they are, by definition, publicly available. An attacker does not need to intercept anything. They simply need the quantum capability to forge.

Organizations preparing for HNDL should recognize that Trust Now, Forge Later demands equal attention, particularly for systems that rely on long-lived digital signatures and PKI-based trust chains.

Industries and use cases most vulnerable to HNDL

Coming back to HNDL, the risks associated with it correlate directly with two factors: how long data or systems remain sensitive, and how difficult it is to update the cryptography protecting them. The following industries face the highest exposure.

Telecommunications

Network equipment supporting 5G and 6G infrastructure is designed for operational lifespans of 20 to 30 years. If deployed with quantum-vulnerable cryptography, this equipment will be exposed for the majority of its service life. The encrypted communications traversing these networks today could be harvested and decrypted later.

Critical infrastructure

Energy grids, water systems, and industrial IoT networks depend on cryptographic protections for operational security. These systems are difficult to update and are designed for long operational lifespans, creating a persistent vulnerability window.

Aerospace and defense

Aircraft airframes are designed for 40-year service lives. Avionics systems, communication links, and onboard data processing all depend on cryptographic protections that must remain effective for the full operational period. Regulatory approval cycles for cryptographic changes in aerospace are measured in years, not months.

Automotive

Self-driving technology represents years of R&D investment. Intellectual property related to autonomous vehicle algorithms, sensor fusion techniques, and safety systems is exactly the type of long-lived, high-value data that HNDL attacks are designed to capture.

Medical devices

Safety-critical medical devices rely on firmware integrity to function correctly. A compromised digital signature on a firmware update could have life-threatening consequences. Device lifespans of 10 to 15 years, combined with slow regulatory update cycles, make this sector particularly vulnerable.

Financial services

Long-term contracts, transaction records, and regulatory filings contain data that retains legal and financial significance for decades. Trade secrets related to algorithmic trading, risk models, and proprietary financial instruments are high-value HNDL targets.How to protect your organization against HNDL attacks

Defending against HNDL is not about deploying a single product or applying a quick fix. It requires a systematic approach to cryptographic modernization. The following framework provides a prioritized path forward.

Gain visibility into your cryptographic assets

The first step is to understand what you have. Most organizations lack a complete inventory of their cryptographic assets: certificates, keys, algorithms, and protocols deployed across their infrastructure. Without this visibility, it is impossible to assess quantum exposure or plan a migration.

Proactive discovery of all cryptographic assets across the enterprise provides the foundation for every subsequent step. Organizations need to know where RSA and ECC are in use, which systems depend on them, and what the certificate and key lifecycle looks like across the environment. For more on this topic, see Keyfactor’s resource on cryptographic discovery.

Modernize and centralize PKI management

A well-architected and well-managed PKI will make it easy to switch to quantum-resistant algorithms when the time comes. Conversely, a fragmented PKI environment with multiple root certificate authorities (CAs), inconsistent policies, and manual processes will make the transition enormously difficult.

Reducing PKI sprawl and centralizing certificate management simplifies the migration path and eliminates the blind spots that adversaries exploit.

Build crypto-agility

Crypto-agility is the ability to swap cryptographic algorithms and protocols without overhauling your infrastructure. It is the single most important capability for HNDL defense because it determines how quickly an organization can respond when quantum-resistant algorithms must be deployed at scale.

Organizations that are crypto-agile can transition to post-quantum cryptography as standards mature and threats evolve. Those that are not will face costly, disruptive rearchitecting at the worst possible time. For a deeper exploration of this topic, see Keyfactor’s resource on cryptographic agility.

Prepare for post-quantum cryptography standards

NIST has finalized its first PQC standards, and the timeline for deprecating RSA and ECC is becoming concrete, with 2030 targets for finalizing the transition which, consequently, has to start now. Organizations should begin evaluating these standards, testing quantum-resistant algorithms in non-production environments, and developing migration roadmaps.

Start exploring quantum-resistant tools

Organizations should begin evaluating and adopting tools that have already embraced quantum-resistant encryption. Waiting for quantum computers to arrive before taking action means competing for talent, vendor capacity, and internal resources in a compressed timeline alongside every other organization that delayed.

How Keyfactor can help

Keyfactor’s platform directly addresses the foundational requirements for HNDL defense: cryptographic visibility, PKI modernization, and crypto-agility at enterprise scale.

Keyfactor’s AgileSec is the first step towards protecting against HNDL. It enables enterprises to discover cryptographic material throughout their infrastructure. This can then be classified as vulnerable or protected against HNDL and other quantum attacks.

Keyfactor Command provides discovery and inventory capabilities for digital certificates that give organizations complete visibility into their cryptographic assets, the essential first step in assessing quantum exposure. The platform automates certificate lifecycle management across the enterprise, reducing manual processes and eliminating the certificate sprawl that complicates PQC migration. With built-in support for crypto-agility, Keyfactor enables organizations to transition to quantum-resistant algorithms without rebuilding their infrastructure.

For organizations ready to move from awareness to action on quantum readiness, Keyfactor provides the platform, the expertise, and the operational automation to make the transition achievable.

There is no opting out of quantum

HNDL attacks are just one example of how quantum computing stands to affect all organizations, even those with no plans to pursue quantum-powered innovation. The threat is not optional. If your organization uses public key cryptography (and every organization does), quantum computing will eventually affect you.

The uncomfortable reality is that most organizations simply are not ready to adapt. They are stuck in the prerequisite phase of gaining visibility and control over cryptographic assets. The gap between where most enterprises are today and where they need to be is measured in years of effort, which is precisely why the time to start is now.

The best time to start preparing was five years ago. The next best time is right now.