Post-Quantum CryptographyCybersecurityNation-State

The Harvest-Now-Decrypt-Later Threat Is Already Here

July 30, 2026

A recurring mistake in risk discussions about quantum computing is treating the threat as something that activates the day a cryptographically relevant quantum computer comes online. That framing misunderstands the adversary. Nation-state intelligence services do not wait for a breakthrough to act on a breakthrough. They act now, by intercepting and archiving encrypted traffic against the eventual decryption capability. Any secret that still has value when decryption becomes possible has already been compromised. The only question is when the compromise becomes visible.

What "Harvest Now, Decrypt Later" Actually Means

The operational pattern is straightforward. Capture encrypted traffic at choke points where it traverses adversary-accessible infrastructure. Store the captures indefinitely against the eventual arrival of decryption capability. Decrypt when the capability arrives. No active exploitation is required today; the act that matters has already happened by the time the cryptanalysis is feasible.

The capture surface is wider than most defenders assume. Submarine cable landing stations, ISP backbone infrastructure, cloud egress points, satellite downlinks, embassy and consular signal collection, and supply-chain insertion at hardware level all provide capture points. The 2013 disclosures documented programs at this scale operating against adversary and allied traffic alike, including XKeyscore and the MUSCULAR program targeting Google and Yahoo data center links. The capability has not narrowed in the years since; it has expanded to match the increase in traffic volume.

The decryption arrival horizon is the variable defenders cannot estimate precisely. NIST IR 8547 (Transition to Post-Quantum Cryptography Standards, 2024) treats the cryptographically relevant quantum computer (CRQC) timeline as 2030 to 2040 with significant uncertainty. NSA's CNSA 2.0 transition planning assumes earlier dates for sensitive workloads. Either way, the data captured today has a usable lifetime measured in decades.

Which Data Is Most at Risk

The risk profile is determined by the intersection of two properties: how long the data remains sensitive, and how aggressively it is captured. Long-confidentiality data captured at scale is the worst case; short-confidentiality data captured opportunistically is recoverable. The categories that fall into the worst case are well-documented.

Diplomatic cables and intelligence reporting often retain operational sensitivity for the lifetime of the people named in them. The 25-year automatic declassification clock under Executive Order 13526 still leaves many records sensitive at decryption time. Source code for critical infrastructure (power grid control, water treatment SCADA, weapon systems) carries vulnerability information that adversaries can exploit decades after the code's deployment.

Medical records under HIPAA carry confidentiality obligations for the patient's lifetime. Legal communications under attorney-client privilege carry similar lifetime obligations. Intellectual property in pharmaceuticals, semiconductor design, and aerospace materials retains commercial value for 20 to 50 years from generation. Any of these categories captured today is a category that adversaries are paying for storage on against future decryption.

The categories where harvest-now-decrypt-later is operationally meaningful are also the ones the federal government and the commercial sector both move slowly to migrate. NSA's January 2026 CNSA 2.0 clarification accelerated the timeline specifically to close this gap.

The Retention Math

The calculation is concrete. If an adversary captures encrypted data on date T0 and decrypts it on date T1, the encryption must protect the data for (T1 minus T0) years. The cryptographic strength required is the strength sufficient against the cryptanalysis available at T1, not the cryptanalysis available at T0.

For traffic encrypted with RSA-2048 in 2026, T1 is bounded above by the CRQC arrival date, which most credible forecasts place between 2030 and 2040. That gives RSA-2026 traffic a confidentiality window of 4 to 14 years. For data with sensitivity horizons longer than 14 years, RSA-2048 is already an inadequate guarantee. ECDH P-256 has the same property: the underlying discrete log problem is solved by Shor's algorithm on a CRQC of comparable scale to the one that breaks RSA-2048.

NIST IR 8547 frames this as the transition window. The standards body's recommendation is that data with confidentiality horizons exceeding the CRQC arrival uncertainty should be migrated to post-quantum cryptography immediately, not on the federal acquisition timeline. The Five Eyes intelligence community's joint Quantum Computing Cybersecurity Advisory carries the same recommendation in stronger language.

What the Evidence Says About Current Capture Programs

Public reporting establishes that capture programs operate at the scale required for harvest-now-decrypt-later to be meaningful. The 2013 disclosures (XKeyscore, MUSCULAR, FAIRVIEW, STORMBREW, Tempora) documented intercepts at submarine cable landing stations and core ISP infrastructure operating against tens of petabytes per day. The 2020 Mandiant reporting on APT41 documented sustained collection against pharmaceutical and aerospace targets. The 2024 Five Eyes joint cybersecurity advisory on PRC and Russian intelligence services reaffirmed ongoing collection against US government and defense industrial base traffic specifically against future decryption.

The inference is straightforward. A rational nation-state adversary with capture infrastructure already deployed and known interest in long-confidentiality categories is collecting now. The 2026 cryptography of any data that crosses adversary-accessible infrastructure is the cryptography that has to hold against 2035 or 2045 cryptanalysis.

What Organizations Should Do Now

Inventory long-lived secrets first. Identify which data has a sensitivity horizon longer than the CRQC arrival uncertainty. Categorize by both horizon (years of remaining sensitivity) and exposure (whether the data has crossed adversary-accessible infrastructure in the past or will in the future). Long-horizon, high-exposure categories are the priority for post-quantum migration.

Accept that some data already captured is already lost. The migration question is not "how do we protect what was captured already," because that data is now in adversary archives, and post-quantum encryption applied today does not retroactively protect prior intercepts. The migration question is "how do we ensure the next decade of data does not enter the same archive."

The architecture that minimizes future archive exposure is one where every data object carries its own post-quantum encryption from the moment of creation. Data wrapped at the application layer with ML-KEM-768 or ML-KEM-1024 enters the network already protected against future cryptanalysis. The operator's perimeter cryptography becomes a defense-in-depth layer rather than the primary protection.

The Lattix Role

Lattix Technologies wraps each data object in cryptographic enforcement at the policy enforcement point (PEP). Long-lived data wrapped in this architecture today can be re-wrapped under updated post-quantum keys tomorrow without re-creating or re-distributing the underlying object. The migration path is incremental: rotate the wrapping key authority, and every object inherits the new cryptography on next access.

Data-centric security gives organizations a migration path that infrastructure-centric security does not. Network and application encryption migrations require coordinated rebuilds of consumers, services, and storage layers. Object-level wrapping migrations happen at the wrapper and propagate to consumers on access. The horizon math becomes tractable: the cost of migration is bounded by the number of wrapping authorities, not by the number of records or the number of consumers.

The architecture's value over the harvest-now-decrypt-later horizon is that the data captured today by any adversary is captured under the post-quantum wrapping the architecture applied at creation. The capture happened. The decryption does not, because the wrapping does not break to the adversary's eventual capability.