Is Harvest Now, Decrypt Later (HNDL) Real? What I Can and Can’t Prove
Table of Contents
Introduction
A few times a month, in a board briefing, a training room, or a closed session with a security team, someone interrupts me with a version of the same question. It tends to arrive right after I explain Harvest Now, Decrypt Later (HNDL): the idea that a foreign service may already be copying an organization’s encrypted traffic and warehousing it to read once quantum computers mature. The question comes out somewhere between genuine curiosity and open suspicion. Is this actually happening, or is the quantum industry manufacturing fear to sell products?
It is a fair question, and for years my answer was unsatisfying. I could not hand anyone a seized drive or a leaked intercept order showing a named adversary hoovering up their ciphertext for a machine that does not yet exist. No one could. The honest version of the answer is that nobody can show you a specific quantum-motivated harvest, and nobody needs to: the collection is passive, cheap, undetectable, and already routine, which is why a dozen governments have built migration deadlines around it. This is the fuller answer I never have time to give in the room.
I am not a member of the quantum panic industry. I have spent plenty of ink calling out Q-FUD, the inflated timelines and vendor-driven dread that treat a distant threat as if Q-Day were next quarter. I share the skeptic’s allergy to being sold fear. What I do not share is the leap from “the hype is overblown” to “the underlying threat is fake.” On Harvest Now, Decrypt Later the evidence pulls hard in one direction.
The mechanics are simple enough: an adversary collects encrypted data today, stores it, and waits until a cryptographically relevant quantum computer (CRQC) can break the key establishment that protected it. In a captured TLS, VPN, or similar session, the target is not the symmetric encryption itself but the RSA, Diffie-Hellman, or elliptic-curve mechanism used to establish the session key. Shor’s algorithm could recover the relevant private or ephemeral key from the recorded handshake, reconstruct the session key, and decrypt the retained payload. That requires the adversary to have captured the handshake and the traffic, not merely an arbitrary fragment of ciphertext. But capturing a full session from a tapped link is exactly what passive collection provides. HNDL is the one quantum threat that is live today, not years out on a roadmap, because the harvesting happens now even though the decryption is distant. (The signature side has its own version: Trust Now, Forge Later. Sessions already protected with post-quantum or hybrid key establishment do not present this exposure.)
The question keeps coming up because HNDL asks people to act against a harm they cannot see. There is no breach notification, no ransom note, no defaced website. If an adversary is quietly copying encrypted traffic, the victim experiences precisely nothing. That invisibility is what makes executives suspect the whole thing is theater. It is also the entire point.
The Skeptic Has a Point, and a Blind Spot
Let me put the skeptic’s case as strongly as I can, because it deserves that. You have no proof, the argument goes. In decades of signals intelligence disclosures, no one has produced a captured foreign archive of encrypted data being warehoused for a quantum computer. The scenario also sounds operationally heavy. To collect an organization’s data, an adversary would have to breach its network, plant a listening device somewhere sensitive, or park a fake cell tower outside the building. That is expensive, risky, and detectable. Encryption is doing its job today, so why would a rival state pour resources into stealing data it cannot read, on a bet that a machine capable of reading it will exist within the data’s useful life? Absent a smoking gun, the parsimonious explanation is that HNDL is a marketing device.
A more sophisticated version of the objection adds that acquiring a collection position can be expensive and dangerous, that much information loses its intelligence value before a quantum computer is likely to arrive, and that endpoint compromise often yields plaintext more cheaply. That is a stronger case, and I will come back to the data-lifetime question in particular. But both the boardroom version and the sophisticated version share the same foundational error about how harvesting works.
I take that seriously. It contains one true observation and one serious mistake. The true observation is that there is no public smoking gun, and I will not pretend otherwise. The mistake is the picture of how harvesting works. Collecting encrypted communications does not require breaching a network or planting anything inside a building. It requires a copy of the encrypted stream while it travels across a cable or through the air. Those are very different problems, and the second is far easier, far cheaper, and far quieter than the heist the skeptic is imagining.
What a Dozen Governments Have Put in Writing
Start with the written record, because it is the part I can put in front of a board without asking anyone to trust me.
From “Cannot Be Ruled Out” to “Collecting Now”
Over the past five years, the intelligence and cybersecurity agencies of most of the Western world have moved, independently and in the same direction, from treating retrospective decryption as a theoretical possibility to naming it as a present concern and legislating around it.
In 2022, France’s ANSSI was among the most cautious. Its published position noted that the threat of retroactive attacks (storing encrypted traffic now to decrypt later) could not be ruled out, while carefully declining to predict whether a capable quantum computer would ever exist. That is the language of an agency hedging.
By August 2023, the tone had shifted. A joint fact sheet from CISA, the NSA, and NIST told organizations plainly that threat actors could be targeting data today with long secrecy lifetimes, using what it named a “catch now, break later or harvest now, decrypt later” operation. Canada’s Cyber Centre went further in its guidance, calling the risk an immediate threat rather than a future one.
In late 2024, Germany’s BSI, together with more than a dozen EU member states, called store-now-decrypt-later the most imminent threat from quantum computing and recommended protecting the most sensitive data by 2030. The same season, NIST’s draft transition report described adversaries collecting encrypted data now, with the goal of decrypting it once quantum technology matured, and named that threat model as a main reason the migration is urgent.
Then, in June 2026, HNDL moved from agency guidance into binding U.S. federal policy. Executive Order 14412, “Securing the Nation Against Advanced Cryptographic Attacks,” stated that ongoing cyber activity presents the risk of adversaries collecting United States information now, and decrypting it later once large-scale quantum computers are operational. The wording still describes a risk rather than a confirmed operation, but the policy consequence is concrete: federal systems now have dated post-quantum implementation requirements, and the Federal Acquisition Regulation pulls contractors in.
Line those up and the trajectory is hard to miss. The 2022 formulation, “cannot be ruled out,” becomes the 2026 formulation, “presents the risk,” embedded in a signed executive order with deadlines attached. The United Kingdom’s NCSC, the Netherlands’ AIVD (an intelligence service, not merely a standards body), Australia’s ASD, Singapore’s CSA, ENISA and the European Commission, and NATO have all published versions of the same warning, and most have set migration milestones or mandates. These are allied governments with shared intelligence channels, so the convergence is not entirely independent. But their analytical bodies are separate, and the consistency of the conclusion across different national contexts, threat environments, and bureaucratic cultures is itself a signal. When that many security establishments converge on the same precaution, “a vendor made it up” stops being a serious explanation.
Here is that trajectory in one view, including the fuller roster the prose above compresses:
| Date | Agency / document | On the harvest threat | Posture |
|---|---|---|---|
| Feb 2021 (rev. 2025) | Canada — Cyber Centre | Calls HNDL an “immediate threat” | Active threat |
| Aug 2021 | US — NSA FAQ | Data must stay protected for decades (long-life warning) | Precautionary |
| Jan 2022 | Netherlands — AIVD | State actors may store intercepted encrypted data | Active threat (intel agency) |
| Mar 2022 | France — ANSSI | “Store now, decrypt later” cannot be ruled out | Precautionary |
| May 2022 | US — White House NSM-10 | Orders mitigation of quantum risk by 2035 | Mandate |
| Aug 2023 | US — CISA / NSA / NIST | Names a “catch now, break later or harvest now, decrypt later” operation | Rationale for action |
| Nov 2023 | UK — NCSC | Risk of an attacker collecting data now to decrypt later | Rationale for action |
| Nov 2024 | Germany — BSI + EU states | SNDL the “most imminent threat”; protect sensitive data by 2030 | Active threat |
| Nov 2024 | US — NIST IR 8547 (draft) | Adversaries collect encrypted data now to decrypt later | Active threat |
| Mar 2025 | UK — NCSC timelines | Migration milestones set for 2028 / 2031 / 2035 | Mandate |
| Jun 2025 | EU — Commission / NIS group | “Store now, decrypt later” attacks; milestones to 2030 / 2035 | Rationale for action |
| Sep 2025 | Australia — ASD | Waiting for quantum “would be too late” | Mandate |
| Oct 2025 | Singapore — CSA | Frames HNDL as “happening today” | Active threat |
| Jun 2026 | US — Executive Order 14412 | “Risk of adversaries collecting United States information now” | Signed mandate |
The Caveats, and Why They Strengthen the Case
Now the honest caveats, because they belong in the argument rather than against it.
Most of this official language is deliberately conditional. Agencies write that adversaries “may” or “could” be collecting, not that they demonstrably are. That is the careful phrasing of institutions that do not disclose sources and methods, and I will not inflate “could” into “are.”
I will also flag two of the most-quoted lines in this whole debate that do not hold up against their primary sources, because getting this right is the difference between analysis and repetition. The claim that the NSA’s 2021 FAQ said adversaries “are collecting” encrypted data now is a paraphrase; the actual FAQ makes a long-data-life argument without that sentence. And a widely repeated line attributed to the UK NCSC’s 2023 Annual Review, about state actors exploiting stolen data in years to come, does not appear in that document. Anyone making this case should drop those two and rely on the verified record, which is more than strong enough without them.
There is one feature of the agency record that the skeptic tends to miss. Several of the bodies issuing these warnings are signals intelligence agencies. The NSA, GCHQ, the communications-security arm inside the AIVD, ANSSI, BSI: these are organizations whose own mission includes intercepting communications. When they warn that adversaries may be harvesting encrypted traffic for later decryption, they are describing a technique they understand intimately, because collecting other people’s traffic at scale is a thing they do. Their warning carries weight the vendor brochures never will.
The Harvest Is the Easy Part
The mistake at the center of the skeptic’s picture is the picture itself. Break into the network, plant a device, spoof a tower: that describes the loud, detectable, and largely unnecessary way to collect data. The quiet way needs none of it, and it is old, proven, and cheap.
Here is that track record at a glance. The “Passive?” column is the one that undoes the assumption that harvesting would be noticed:
| Years | Case | Who → target | Passive? | What it establishes |
|---|---|---|---|---|
| 1971–1981 | Operation Ivy Bells | US → Soviet undersea military cable | Yes (induction collar) | A vigilant target never detected the tap; a defector, not technology, exposed it |
| 2003– | Room 641A | NSA / AT&T → US internet backbone | Yes (optical splitter) | Copies ciphertext beneath the encryption layer, with no latency or fingerprint |
| 2011– | Tempora | GCHQ → transatlantic fiber cables | Yes (fiber probes) | Purpose-built to collect traffic and retain it for later processing |
| 2014–2018 | DC IMSI catchers | Unattributed → phones near the Capitol / White House | Active (detectable) | Adversaries accept exposure to collect beside the seat of power |
| 2024– | Salt Typhoon | China (MSS) → US telecom cores | No (network intrusion) | A capable adversary already reaches the backbone position for bulk collection |
| 2025 | “Don’t Look Up” study | Researchers → GEO satellite traffic | Yes (receive-only) | Wide-scale passive interception now costs about $800 |
A Perfect Copy of the Light
In 2006, an AT&T technician named Mark Klein revealed what tapping the backbone actually looks like. Inside the company’s San Francisco facility, a passive optical splitter had been installed on the fiber carrying internet backbone traffic. The device copied the entire light signal, every packet, and sent one identical stream to a room controlled by the NSA while the original continued to its destination untouched. Because the splitter is a passive physical component, it added no latency, dropped no packets, and produced no protocol-level anomaly visible to the endpoints. A well-instrumented operator monitoring for physical-layer changes such as unexpected optical loss could, in principle, detect that something had been introduced on the fiber, but ordinary endpoint and network monitoring would not reveal that a second copy of the signal was being made. The documents Klein provided to the Electronic Frontier Foundation showed the copying happening at the physical layer, beneath the level where any encryption on that traffic could protect it.
What that tap collects is ciphertext. The adversary is not breaking the encryption at the moment of collection. It is taking a perfect copy and keeping it. Everything the skeptic imagines as the hard part, defeating the crypto, is deferred to a later day and a different machine.
The Tap a Superpower Couldn’t Find
If a passive tap sounds like something a target would eventually notice, the historical record says otherwise, and it says so about one of the most security-conscious targets imaginable. In 1971, a joint U.S. Navy, CIA, and NSA operation code-named Ivy Bells placed a recording device on a Soviet military communications cable on the floor of the Sea of Okhotsk. Divers wrapped a collar around the cable that read the signal by induction without piercing it. Later versions were nuclear-powered and could bank close to a year of traffic. The Soviets treated that sea as territorial waters and guarded it with seabed sensors, and they never detected the tap. The operation ran for roughly a decade and was exposed only in 1980, when an NSA employee sold it to the KGB.
A superpower actively guarding its own cable, in its own waters, could not find a passive tap physically wrapped around it. What blew the operation was a human traitor, not any technical detection. Hold that against the assumption that harvesting your traffic would somehow be noticed.
Buffering the Cables That Carry the Internet
Passive collection at national scale is not a Cold War relic. The GCHQ program disclosed in 2013 as Tempora was built to buffer internet traffic pulled off transatlantic fiber-optic cables so it could be searched later. By mid-2011, GCHQ had probes on more than 200 links, each carrying 10 gigabits per second, attached to cables landing in Cornwall and at a Middle East site in Oman. Intercepted content was held for three days and metadata for 30, then queried and cross-referenced. A national agency built infrastructure whose declared purpose was to collect traffic and retain it for later processing, at the scale of the cables that carry the internet between continents. Store now, examine later.
Now It Costs $800
The price of passive interception has collapsed. In October 2025, researchers at UC San Diego and the University of Maryland published a study in which they put a roughly $800 consumer satellite dish on a rooftop and, over three years, found that about half of the geostationary satellite signals they scanned were unencrypted. They captured cellular backhaul, corporate and government communications, and military traffic. Their threat model makes the point clearly: wide-scale interception of this kind was, they wrote, “previously assumed to only be feasible with state actor-grade equipment,” and they showed a low-resource attacker could do it with off-the-shelf hardware, receive-only and emitting nothing.
That study is about unencrypted data, which is a worse and more immediate problem than HNDL, so I will not overclaim it. But it establishes two things. Passive interception is now trivially cheap. And the encrypted half of that same satellite traffic is exactly what an HNDL adversary would collect and store today.
Adversaries Already Accept Being Seen
The harvesting mechanism is real, passive, difficult to detect from the endpoint, and cheap. That leaves the question of intent. Here the skeptic’s own instinct cuts the other way: if adversaries would only bother when they wanted the data badly, we can watch them bother with the loud version.
Since at least 2014, security researchers and the U.S. government have repeatedly found unexplained cell-site simulators, the fake cell towers known as IMSI catchers or Stingrays, operating around Washington. In 2018, DHS confirmed to Senator Ron Wyden that it had detected activity in the capital consistent with such devices, that it could not attribute them to anyone, and that it had no fielded capability to reliably detect them. A private survey in 2014 reported finding roughly 18 in a couple of days, clustered around government buildings including the Capitol and the White House.
Active cell-site simulators are the detectable kind of collection. They impersonate towers, can force phones onto weaker protocols, and radiate signals a sweep can find. Someone runs them next to the most sensitive buildings in the United States anyway. If a hostile service will accept that exposure for active collection, the passive alternative, which radiates nothing and leaves nothing to sweep for, is the obvious and safer choice.
A Foothold in the Backbone
Adversaries also reach the positions from which bulk collection becomes a decision rather than a barrier. The Chinese intrusion set tracked as Salt Typhoon compromised the core networks of major U.S. carriers including Verizon, AT&T, and Lumen, reaching the lawful-intercept systems used for court-ordered wiretaps and, U.S. officials noted, holding broader access that could touch general internet traffic. CISA said months later that it could not be certain the intruders had been evicted.
I want to be precise about what this shows and what it does not. Salt Typhoon is an active intrusion rather than a passive tap, and its reported aim was counterintelligence, learning whom the FBI was watching, plus call metadata, not a quantum-motivated harvest of encrypted bulk traffic. What it demonstrates is that a capable adversary already achieves the backbone position from which large-scale collection is one command away, and that Beijing treats that infrastructure as a target worth years of effort.
London’s Mega-Embassy Is an Argument About Harvesting
The case becomes concrete and current in London. Beijing bought Royal Mint Court, next to the Tower of London, in 2018, and proposed the largest Chinese diplomatic complex in Europe. Beneath the site runs a tunnel carrying fiber-optic cables that serve the City of London and Canary Wharf, the two hearts of British finance. After years of delay and a rejection by the local council, the UK government approved the plan in January 2026.
The nature of the concern is what makes this so relevant. Nobody serious claims China would break the encryption on those cables today. The worry is proximity to the ciphertext. A telecommunications engineer quoted in the coverage framed it almost exactly as I would: physical access makes interception straightforward, the traffic is encrypted, but even very strong encryption doesn’t eliminate all vulnerabilities, and traffic analysis and metadata yield value even without decrypting anything. Sit beside the encrypted financial and email traffic of the City, copy it, store it, and wait. British security officials clearly agree: reporting indicates MI5 pushed to relocate critical internet cables away from the site to reduce the interception risk, while conceding it cannot drive every risk from a diplomatic premises to zero.
Some of the sharpest specifics are contested. The Telegraph, citing unredacted planning documents, reported a basement chamber positioned only feet from the cables and fitted with heat extraction consistent with high-powered computing, alongside a network of more than 200 basement rooms. China disputes the espionage framing, and those details rest on a reading of leaked plans rather than any confirmed installation. Even setting them aside, the uncontested core is remarkable: a foreign state secured the right to build, and a Western government approved, a large facility directly above the encrypted data conduits of a global financial center, over the objections of legislators who called it “a launchpad for economic warfare.” That public argument, whether the participants name it or not, is about the first half of Harvest Now, Decrypt Later.
The Storage Math That Should End the Debate
The remaining skeptic’s position is one of economics. Storing the world’s internet traffic sounds like it would require the world’s budget. It does not. The numbers are so lopsided that once you run them, the feasibility objection falls away for any adversary with a state budget.
What Would It Actually Cost?
Start with the raw volume. Global internet traffic runs at roughly 400–500 exabytes per month, depending on whose estimate you use (Cisco’s last published forecast, IBISWorld, and AppLogic Networks’ 2025 Global Internet Phenomena Report all converge in that range). That is an enormous number, but no rational adversary would try to store all of it. Most of that volume is streaming video, gaming traffic, software updates, and content delivery — data with no intelligence value and no long-term secrecy. An adversary conducting HNDL collection would filter.
The economics shift from “impossible” to “routine” once you consider three scenarios, from broadest to most targeted:
Scenario 1: Tap a major backbone link, store everything. A 100 Gbps fiber link running at typical utilization (40–60%) generates roughly 400–600 terabytes per day. At enterprise HDD prices of $15–20 per terabyte (current 2026 pricing for high-capacity Seagate Exos or WD Ultrastar drives), storing a full year of that single link’s traffic costs roughly $2–4 million. That is a rounding error on the budget of any serious intelligence service. The U.S. intelligence community’s publicly disclosed budget exceeds $70 billion annually. China does not publish an equivalent figure, but credible estimates place it at $15–20 billion or more. At $3 million per backbone tap per year of storage, an agency could archive traffic from dozens of links and barely register the expense.
Scenario 2: Filter on metadata first, store selectively. A smarter adversary would not store raw traffic indiscriminately. IP addresses, routing information, and TLS handshake metadata are visible before decryption. Server Name Indication (SNI) and DNS queries can reveal which domains traffic is flowing to, though Encrypted Client Hello (ECH) and encrypted DNS are gradually narrowing that visibility. Even with those protections spreading, enough metadata remains exposed on most connections today to support real-time filtering: keep the traffic flowing to and from government agencies, defense contractors, financial institutions, law firms, and research labs; discard the streaming video and software updates. If this kind of metadata-based filtering retains between 1% and 10% of the raw stream (an illustrative range, not a published benchmark, since the exact ratio depends on the target set), the storage cost for a year of collection on a major link drops to $30,000–$400,000.
Scenario 3: Target a specific organization or cable. Intercepting the traffic of a single large enterprise, a government ministry, or a diplomatic mission involves far less volume. To take an illustrative example, suppose a large organization generates 1–10 terabytes of external network traffic per day. Storing a full year costs $5,000–$70,000 at current HDD prices. At $70,000 for the upper end, the annual cost of archiving an entire large organization’s encrypted communications is less than the salary of one junior intelligence analyst.
And those figures use retail pricing. A state agency buying at data-center scale pays less. Tape storage (LTO-9, at roughly $4–6 per terabyte) drops the cost further for pure archival, and tape is a natural fit for data that does not need fast access. On tape, a year of filtered backbone traffic from a major link costs roughly $8,000–$25,000. These are bare-media costs; a real archival operation also needs ingest infrastructure, redundancy, cataloguing, and eventual processing capacity, so the total is higher, but the order of magnitude holds for a state intelligence budget.
| Scenario | Daily volume | Annual storage cost (HDD) | Annual storage cost (tape) |
|---|---|---|---|
| Raw backbone link (100 Gbps, ~50% util.) | ~540 TB | $2–4 million | $800K–$1.2M |
| Metadata-filtered backbone (1–10% retained) | 5–54 TB | $30K–$400K | $8K–$120K |
| Single large organization | 1–10 TB | $5K–$70K | $1.5K–$22K |
Which Secrets Survive the Wait?
Not all information is worth storing for a decade. Merger deliberations, tactical military plans, pricing strategy, and session credentials can lose most of their value within months. An adversary pursuing HNDL would not archive traffic indiscriminately; it would prioritize the categories whose intelligence half-life matches the decryption horizon. Some of those categories are obvious: intelligence-personnel and human-source identities, security-clearance records, biometric and genomic data, weapons-platform designs, critical-infrastructure engineering details, durable trade secrets like pharmaceutical formulas or chip fabrication processes, long-term medical and legal records, and diplomatic correspondence that reveals institutional methods and decision patterns. Others are less obvious but equally durable: the internal communications of a central bank or finance ministry, which reveal how a government makes economic decisions, retain analytical value for decades regardless of whether a specific rate decision is stale.
The physical storage, meanwhile, does not decay. A human source can be turned or retired. A compromised system gets patched. A surveillance position gets detected and loses value. Stored ciphertext just sits on tape in a warehouse, costing nothing, waiting. That combination, information with a long intelligence half-life, held in a medium that never degrades; is what makes HNDL a uniquely patient investment.
What a Single Decryption Would Be Worth
Now compare those storage costs to the value of what a decrypted archive would contain.
The value of a decrypted archive depends on what it contains, but for the categories that survive the wait, the numbers dwarf the storage costs. The 2015 theft of the U.S. Office of Personnel Management database, which compromised the security clearance records of 21.5 million federal employees, was described by former CIA Director Michael Hayden as the most significant intelligence loss in a generation. That was a database compromise, not a retrospective decryption, but it illustrates the kind of information whose exploitation life spans decades: the raw material to identify, map, and potentially compromise U.S. intelligence officers, diplomats, and defense workers. Now imagine every email those individuals sent and received, sitting in an archive waiting for decryption.
Consider the categories where a decrypted archive would retain serious value:
Diplomatic cables. A decade of encrypted communications between a foreign ministry and its embassies would reveal negotiating positions, intelligence assessments, source identities, and alliance dynamics. The 2010 WikiLeaks release of 250,000 State Department cables reshaped international relations. A decrypted archive yielded a decade later would have different operational value, since specific diplomatic positions may have shifted, but the institutional methods, relationships, and decision-making patterns it would expose retain intelligence value for far longer than any single negotiation.
Financial and economic policy. The encrypted communications between a finance ministry and its central bank, stored today and decrypted in 2035, would reveal how a government makes economic decisions. Those institutional patterns are analytically durable even when the specific decisions are historical; understanding how a rival’s economic policymaking works is a permanent intelligence advantage.
Defense and weapons programs. Encrypted communications between defense contractors, procurement agencies, and military commands contain weapons system specifications, operational plans, and vulnerability assessments. The intelligence value to a rival military corresponds to the cost of the R&D programs it exposes.
Intellectual property. Trade secrets with decade-long competitive lives (pharmaceutical formulas, chip designs, manufacturing processes, source code) travel across corporate networks in encrypted form every day. The estimated cost of IP theft to the U.S. economy alone runs to $200–600 billion annually, according to the Commission on the Theft of American Intellectual Property.
Set those against the storage costs. Archiving a year of a targeted organization’s traffic costs less than $70,000. A single successful decryption could yield intelligence whose value exceeds the storage cost by orders of magnitude.
The Question You Should Ask Yourself
There is one more argument that I find ends the conversation faster than any statistic, because it removes the abstraction and puts the decision in the room.
Imagine you run an intelligence service. Not a hypothetical one, a real one, with a real budget and a mandate to collect foreign intelligence. Your engineers tell you that for less than $100,000 a year, you can copy and store the encrypted external communications of a major foreign defense contractor, a rival government’s finance ministry, or a competitor nation’s central bank. The collection is passive, requires no network intrusion, and carries minimal detection risk. The data is encrypted today, but your government’s quantum computing program, or simply the march of algorithmic research, gives you a credible chance of reading it within 10–15 years. The data itself (diplomatic strategy, weapons programs, economic policy) will still be valuable in that timeframe.
Would you authorize the collection?
For a target of that value, with a collection position already available, and information likely to retain its worth for decades, I cannot construct a rational case for declining. The cost is negligible relative to the budget, the exposure is near zero, and the potential payoff is enormous. An intelligence director might reasonably choose not to bother for a low-value target, or where plaintext access through other operations is cheaper, or where the information decays too quickly to justify the storage. But for the targets that matter most, the ones whose secrets are measured in decades, the decision is obvious.
Now remove yourself from the intelligence director’s chair and sit back in your own. You are the CISO, the CTO, or the board member. The question is no longer whether a rational adversary would do this for a high-value target. The question is whether your organization looks like one.
So, Is Harvest Now, Decrypt Later Real?
Back to the question in the room.
There is no public, caught-in-the-act case of a named adversary collecting encrypted data specifically to decrypt it with a future quantum computer. If that is the bar, I cannot clear it, and neither can anyone selling you a solution. But it is the wrong bar. Passive collection produces no evidence by design. A tap that copies light and emits nothing, or a dish that only receives, leaves no artifact for a victim to discover and no confession for a journalist to publish. Demanding a smoking gun for a technique whose defining property is that it leaves no smoke is asking for the one thing the method is built never to produce. The absence of a public case is what successful passive collection looks like.
What the record does establish is everything a rational-actor argument needs. The means are demonstrated: intelligence services have proven passive optical and radio interception repeatedly, at scale, and now cheaply enough for a hobbyist. The motive is real: long-lived secrets, such as diplomatic cables, financial records, identity data, and defense material, hold value for decades, which is the entire premise of the migration programs these same agencies have mandated. The opportunity exists: adversaries already reach backbone positions and physical proximity to cables, and the passive version needs no intrusion at all. And history supplies the precedent: states have tapped cables for intelligence for more than 70 years and have built purpose-designed collect-and-retain infrastructure to do it.
Put those together and the burden of proof flips. A well-resourced adversary can copy long-lived encrypted secrets today at minimal cost and minimal risk of detection. The question that needs answering is why one would choose not to. I have yet to hear a response to that question that survives contact with how intelligence services actually behave. “They can’t read it yet” is not a response, because the entire strategy is premised on reading it later. Storage is cheap and getting cheaper, the data does not spoil, and the only input required now is a copy that costs almost nothing to make. A rival service declining that trade would be the surprising behavior, not the reverse.
The Case Holds Even If You’re Not Sure
Suppose you are not fully persuaded. Suppose you put the probability that your organization’s traffic is being harvested lower than I do. The decision still comes out the same way.
HNDL is a problem of asymmetry. Collection is close to free for the adversary and undetectable to you, while the downside, your long-lived secrets becoming readable years from now, can be severe and irreversible. When the cost of the attack is near zero and the potential loss is large, you do not need a high probability to justify defending against it. You need only to notice that inaction is the genuinely risky bet.
This is why I keep arguing that the exact date of Q-Day has become almost beside the point. Fixating on when a quantum computer will break RSA is less useful than asking how long your data must stay secret, and whether that window extends past the point where its cryptography can be broken. A trade secret with a 20-year competitive life, a merger document sealed for a decade, a diplomatic cable classified for 25 years: each carries a secrecy clock ticking into the late 2030s and beyond, and no one can promise you a capable quantum computer will not arrive first.
If sensitive data you transmit today must remain confidential into the late 2030s, and passive collection of that data is free today, then the harvest has already happened for any adversary who wanted it, and the only remaining variable is when it gets read. That is a decision you can act on now without resolving any timeline debate. It is also why regulators, insurers, and major clients have stopped waiting for predictions and started setting their own quantum deadlines. The ecosystem has priced in the risk even where the proof is unavailable, and those deadlines will reach your organization regardless of what you personally believe about HNDL.
What to Do Now
For a security leader who accepts the argument, the near-term work is concrete rather than abstract:
- Identify your long-lived secrets first. What matters here is whatever must stay confidential for a decade or more: state secrets, financial and legal records, health and identity data, intellectual property, long-term contracts. Map where that data lives and, more importantly, where it travels.
- Assume anything crossing public networks is collectable. Traffic over the internet backbone, satellite links, and radio is exactly what passive collection captures. Treat data on those paths as potentially already copied, and let that assumption drive prioritization.
- Migrate the confidentiality-critical flows to post-quantum key establishment first. HNDL threatens key establishment, so deploying ML-KEM (or hybrid key establishment) on your longest-lived data flows is the priority. Signature migration has a separate timeline driven by different use cases, but do not treat it as an indefinite deferral: firmware verification, code-signing chains, embedded devices, and long-lived trust anchors can have lead times measured in years.
- Drive the program by data lifetime and regulatory dates, not by Q-Day forecasts. The deadlines that will actually govern you come from your regulators, insurers, and clients. Build the plan around those and around your own data’s secrecy horizon.
- Start from a structured plan rather than ad hoc fixes. The open PQC Migration Framework and these practical steps to quantum readiness exist so you do not have to invent the process, and Quantum Ready covers the full migration lifecycle if you want the long form.
The Answer I Give Now
The next time someone in a board room asks me whether Harvest Now, Decrypt Later is real, I will still tell them I cannot show them the harvest. That has not changed, and honesty requires saying so. But I can now give them the rest.
I can show them a dozen governments, several of them running collection programs of their own, warning about this in writing and legislating deadlines around it. I can show them a passive tap that a superpower could not find on its own cable for a decade, and a rooftop dish that pulls sensitive traffic out of the sky for the price of a weekend trip. I can show them a foreign state building above the encrypted arteries of a financial capital, and the counterintelligence agency quietly moving the cables.
And then I can hand the question back, because it belongs to them more than to me. Given all of that, what would have to be true for a capable adversary to look at your long-lived secrets, copy them today at negligible cost and negligible risk, and decide not to bother? I have not found a good answer. I doubt the adversary has either.