TL;DR: Intelligence agencies (including China, Russia, and likely the NSA) are intercepting and storing encrypted internet traffic right now, waiting for quantum computers powerful enough to crack it. This strategy is called “harvest now, decrypt later” (HNDL). Experts estimate quantum computers could break today’s standard encryption (RSA-2048, ECC) between 2030 and 2035. NIST finalized three post-quantum cryptography standards in August 2024. The NSA wants all national security systems migrated by 2035. Fewer than 5% of companies have started the transition. Your encrypted messages, medical records, financial data, and private communications are being vacuumed up today for decryption tomorrow. Here’s what’s happening, who’s doing it, and what you can do about it.
The Simplest Surveillance Strategy Ever
You encrypt your emails. You use Signal. Your bank uses TLS. Your VPN wraps everything in a tunnel. All of this protects you from anyone reading your data today.
But what if someone records the encrypted traffic anyway?
That’s the entire premise of “harvest now, decrypt later.” Copy everything. Store it. Wait for quantum computers to mature. Then decrypt it all at once.
It’s not theoretical. The U.S. Department of Homeland Security, the UK’s National Cyber Security Centre, the EU Agency for Cybersecurity (ENISA), and Australia’s Cyber Security Centre all base their post-quantum guidance on the same assumption: adversaries are already collecting and storing encrypted data for future decryption [1][2].
Booz Allen Hamilton’s threat assessment is blunt: “Chinese threat groups will likely soon collect encrypted data with long-term utility, expecting to eventually decrypt it with quantum computers” [3].
“Soon” is generous. They’re probably already doing it.
What Data Is Being Harvested
Not all encrypted data is equally valuable to a patient adversary. The highest-value targets have one thing in common: the information stays sensitive for years or decades [2][4].
| Data Type | Why It’s Valuable in 10 Years |
|---|---|
| Diplomatic cables | Reveals negotiation strategies, alliances, and intelligence sources |
| Military communications | Operational plans, force positioning, classified capabilities |
| Medical records | Blackmail material, genetic data, lifelong relevance |
| Financial transactions | Trade secrets, insider information, tax records |
| Corporate R&D | Patents, drug formulas, strategic plans |
| Encrypted messaging | Journalist sources, whistleblower communications, legal privilege |
| VPN traffic | Browsing habits, location data, personal communications |
Think about what you sent encrypted five years ago. Medical test results? Business negotiations? Messages to a lawyer? That data doesn’t expire. And if someone copied the encrypted version off the wire, they just need to wait.
When Does the Lock Break?
The big question: when will quantum computers actually crack current encryption?
The Global Risk Institute estimated in 2024 a 5% to 14% probability that quantum computers could break RSA-2048 within five years (by 2029), rising to 19% to 34% within ten years (by 2034) [5]. Gartner’s February 2026 report ranked quantum encryption threats as the #1 cybersecurity priority globally, estimating “Q-Day” (the day a quantum computer breaks standard encryption) around 2030 [6].
China’s quantum program is accelerating. In March 2025, the University of Science and Technology of China unveiled Zuchongzhi 3.0, a 105-qubit superconducting quantum processor [18]. Researchers in Shanghai factored a 22-bit RSA key using quantum methods: a toy demonstration, but one that proves the math works [7]. Scale it up enough, and RSA-2048 falls.
The NSA isn’t waiting to find out. Its CNSA 2.0 framework requires quantum-safe algorithms for all new national security systems by January 2027, full application migration by 2030, and complete infrastructure migration by 2035 [8].
That’s not a leisurely timeline. That’s a government that believes the threat is real and imminent.
Who’s Doing the Harvesting
The short answer: anyone with the infrastructure to intercept and store bulk internet traffic.
China: Booz Allen Hamilton assessed that Chinese APT groups are “likely soon” to begin systematic collection of encrypted data for future quantum decryption [3]. Given China’s demonstrated capabilities in bulk data collection (the 2015 OPM hack alone stole 22 million background check records), the infrastructure exists.
Russia: Russian intelligence has decades of experience intercepting communications infrastructure. The SVR’s SolarWinds campaign demonstrated the ability to sit inside networks for months, exfiltrating data undetected.
The NSA: Thanks to Edward Snowden, we know the NSA operates programs specifically designed to collect encrypted traffic at scale. The MUSCULAR program tapped fiber-optic cables between Google and Yahoo data centers, collecting encrypted data in bulk [9]. The PRISM program accessed data directly from tech companies. If the NSA wasn’t already storing encrypted traffic for future decryption, it would be the only intelligence agency on earth showing that level of restraint.
Signals intelligence alliances: The Five Eyes alliance (US, UK, Australia, Canada, New Zealand) shares intelligence collection capabilities. GCHQ’s Tempora program intercepted transatlantic fiber-optic cables, buffering internet traffic for processing [9].
Storage is cheap. A petabyte of hard drive storage costs under $20,000. The NSA’s Utah Data Center, completed in 2014, was designed to store “yottabytes” of data, that’s a trillion terabytes [10]. They built the filing cabinet before the key was invented.
The Fix Exists. Nobody’s Using It.
On August 13, 2024, NIST published three post-quantum cryptography standards after eight years of development [11]:
- FIPS 203 (ML-KEM): Key encapsulation, replaces RSA and Diffie-Hellman for securely exchanging encryption keys
- FIPS 204 (ML-DSA): Digital signatures, replaces RSA and ECDSA for verifying identities
- FIPS 205 (SLH-DSA): Hash-based digital signatures, a backup standard using different mathematical assumptions
These algorithms are designed to resist attacks from both classical and quantum computers. They’re free. They’re standardized. They work.
So who’s adopted them?
Almost nobody. Fewer than 5% of enterprises have formal quantum-transition plans, according to Gartner’s 2026 analysis [6]. The Federal Reserve published a paper specifically warning that blockchain networks face existential HNDL risks because past transactions on the ledger can never be re-encrypted [12].
The U.S. government is further along than the private sector, but not by much. The Quantum Computing Cybersecurity Preparedness Act requires agencies to inventory vulnerable systems and report migration progress through at least 2029 [13]. CISA published a product category list in January 2026 identifying where federal agencies should buy PQC-enabled products [14]. But compliance is spotty.
Orange Cyberdefense security consultant Mohammed Meziani identified the core problem: a “lack of perceived urgency from leadership” combined with a “shortage of qualified cryptography personnel” [15]. Companies don’t feel the pain yet. By the time they do, the data is already gone.
The Government’s Migration Timeline
Here’s what the U.S. federal government is supposed to do, and when [8][13][14]:
| Deadline | Requirement |
|---|---|
| August 2024 | NIST publishes FIPS 203, 204, 205 (done) |
| January 2026 | CISA publishes PQC product category list for federal procurement (done) |
| September 2026 | All remaining FIPS 140-2 validated certificates move to “Historical” list |
| January 2027 | All new national security system acquisitions must use quantum-resistant algorithms |
| 2030 | NIST deprecates all quantum-vulnerable algorithms at ≤112-bit security. DoD full application migration target |
| 2035 | All quantum-vulnerable public-key algorithms disallowed. Complete NSS migration required |
Notice the gap: NIST says quantum-vulnerable algorithms should be gone by 2035. Gartner says Q-Day might hit by 2030. If the optimists are wrong, there’s a five-year window where harvested data is already crackable and the migration isn’t complete.
What This Means for You
If you’re not a diplomat or a defense contractor, you might think this doesn’t apply to you. It does.
Your encrypted medical records from 2020? If intercepted, they could be readable by 2032. Your financial transactions? Your location data from VPN-protected browsing? Your Signal messages from before Signal adopted post-quantum key exchange in September 2023 [16]?
All of it is potentially stored. All of it is waiting.
Even cryptocurrency isn’t safe. The Federal Reserve’s research paper warns that Bitcoin and other blockchain networks face a unique HNDL vulnerability: every transaction is permanently recorded on a public ledger. You can’t go back and re-encrypt old blocks [12]. When quantum computers can derive private keys from public keys, early Bitcoin wallets become open safes.
What You Can Do Right Now
- Use apps that already support post-quantum encryption. Signal added post-quantum key exchange (PQXDH) in September 2023 [16]. Apple’s iMessage added PQ3 protocol in March 2024 [17]. Switch if you haven’t.
- Check your VPN. Some VPN providers have started implementing post-quantum key exchange. Ask yours if they support ML-KEM (FIPS 203). If they don’t know what that means, switch.
- Encrypt stored data with quantum-resistant algorithms. If you’re storing sensitive files long-term, tools like liboqs provide post-quantum encryption libraries.
- Pressure your bank, hospital, and employer. Ask them: “Have you started migrating to post-quantum cryptography?” If the answer is blank stares, that’s a problem.
- Assume everything sent before ~2024 is compromised. If it was intercepted in transit by a state-level adversary, it’s stored. Act accordingly.
- Watch the FISA 702 debate. The data broker loophole means the government can buy data it didn’t harvest itself. Quantum decryption plus purchased metadata equals total surveillance.
The Bigger Picture
Harvest now, decrypt later isn’t a future threat. The harvesting is happening now. The decryption is the only part that’s coming later.
Every day that passes without post-quantum encryption deployed at scale is another day of traffic intercepted, stored, and queued for future reading. Intelligence agencies don’t delete data. Storage gets cheaper every year. And quantum computing gets closer.
The standards exist. The deadlines are set. The transition has barely started. And somewhere in a data center, in Utah, in Beijing, in Moscow, hard drives are filling up with everything you thought was private.
The question isn’t whether your encrypted data will be readable. It’s when.
References
- CISA: Post-Quantum Cryptography Initiative
- Palo Alto Networks: “Harvest Now, Decrypt Later (HNDL): The Quantum-Era Threat”
- Booz Allen Hamilton: “Chinese Threats in the Quantum Era”
- HashiCorp: “Harvest Now, Decrypt Later: Why Today’s Encrypted Data Isn’t Safe Forever”
- Global Risk Institute: Quantum Threat Timeline Report 2024
- isMalicious: “Quantum Computing Threats to Encryption: A 2026 Perspective”
- Earth.com: “China Breaks RSA Encryption with a Quantum Computer”
- Post-Quantum: “The Complete US PQC Regulatory Framework in 2026”
- Wikipedia: “Harvest Now, Decrypt Later” (overview and intelligence program history)
- Reuters: “NSA Utah Data Center”
- NIST: “NIST Releases First 3 Finalized Post-Quantum Encryption Standards” (August 13, 2024)
- Federal Reserve: “Harvest Now Decrypt Later: Examining Post-Quantum Cryptography and Data Privacy Risks for Distributed Ledger Networks”
- Congress: Quantum Computing Cybersecurity Preparedness Act (H.R. 7535)
- The Quantum Insider: “CISA Issues Federal Buying Guidance for Post-Quantum Cryptography” (January 2026)
- The Hacker News: “Expert Recommends: Prepare for PQC Right Now” (February 2026)
- Signal: “PQXDH: Post-Quantum Extended Diffie-Hellman Key Agreement”
- Apple: “iMessage with PQ3: The Most Quantum-Secure Messaging Protocol”
- University of Science and Technology of China: “Zuchongzhi-3: A 105-qubit superconducting quantum processor” (March 2025)
Published: April 1, 2026