Right now, as you read this, sophisticated adversaries are harvesting your encrypted data—waiting for the quantum computer that will decrypt it in minutes. This is the reality of the quantum threat harvest now decrypt later attack.

This isn’t speculation. Healthcare providers store patient records that must remain confidential for 30+ years. Meanwhile, financial institutions process transactions containing customer data valuable for decades. Similarly, government agencies protect state secrets that never expire. What they all share: encryption that will be broken by quantum computers arriving in the next decade. The harvest now, decrypt later strategy means your data encrypted today is already at risk.

According to IBM’s 2024 Cost of Data Breach Report, the average data breach costs $4.88 million. For healthcare organizations, however, that number jumps to $9.77 million. Nevertheless, these figures only capture today’s breaches—not the massive liability building up as your current encrypted data gets collected for future decryption. This quantum threat amplifies traditional authentication and security challenges exponentially.

My Experience with the Quantum Blindspot

Through my architectural evaluations with Fortune 500 enterprises as an AWS Solutions Architect in Munich, I’ve watched security teams discover their encryption strategies assume classical cryptography will protect data for 20, 30, even 50 years. During my Master of Computer Science security coursework at the University of Illinois Urbana-Champaign, we analyzed how these same threat models are becoming operational reality—not in decades, but years.

Recent discussions with SAP about their post-quantum readiness revealed a troubling pattern: enterprises waiting for “perfect solutions” while their data is already being harvested. Indeed, the quantum harvest paradox is real: data encrypted today equals a future breach waiting to happen.

To illustrate the urgency, consider that the federal government is budgeting $7.1 billion for their post-quantum migration from 2025 to 2035. Furthermore, the global post-quantum cryptography market is projected to grow from $1.9 billion in 2025 to $12.4 billion by 2035. Additionally, NSA’s CNSA 2.0 mandates establish hard deadlines between 2030 and 2035 for National Security Systems. This transformation requires rethinking our entire security architecture approach.

The clock is already ticking. Here’s why this matters to your organization right now.

Why This Matters NOW: The Invisible Threat

The Harvest Now, Decrypt Later Attack: Understanding the Quantum Threat

Here’s how the harvest now, decrypt later attack works: Adversaries intercept and store your encrypted data today—passively, without triggering any alarms. Importantly, they don’t need to decrypt it now. Instead, they’re patient. Consequently, they wait 5, 10, even 15 years for quantum computers to mature. Then, they retroactively decrypt everything they collected. As a result, your secrets from 2025 become exposed in 2035.

In 2024, the average data breach costs organizations $4.88 million globally, representing a 10% increase from the previous year—the largest annual spike since the pandemic. However, this figure only accounts for breaches discovered today. Critically, it doesn’t capture the massive liability accumulating as encrypted data gets harvested for future quantum decryption through this harvest now, decrypt later strategy.

Currently, compromised credentials remain the leading cause of data breaches, accounting for 16% of incidents. Nevertheless, when quantum computers arrive, they won’t need your credentials—they’ll simply break the encryption protecting your data in transit and at rest.

💡 Key Insight

Consider the shelf life of sensitive information: Medical records (30+ years under HIPAA), Financial records (10-15 years for regulatory compliance), State secrets (50+ years or forever), Trade secrets (5-20 years depending on industry), and Customer PII (indefinite – identity theft risk never expires).

Consider the shelf life of sensitive information:

• Medical records: 30+ years (HIPAA retention requirements)
• Financial records: 10-15 years (regulatory compliance)
• State secrets: 50+ years or forever (national security)
• Trade secrets: 5-20 years depending on industry
• Customer PII: Indefinite (identity theft risk never expires)

Industry Impact: Who’s at Risk?

Healthcare Systems face the most urgent threat. Specifically, healthcare organizations experienced the highest breach costs across all industries at $9.77 million per incident. Patient records harvested today will be decrypted in 2035—exposing medical histories, genetic data, and mental health records that remain sensitive for a lifetime. While HIPAA requires 30+ year retention, genetic data sensitivity never expires. Ultimately, privacy violations, discrimination, and blackmail become inevitable when this data is retroactively exposed.

Financial Services process $500 billion in daily transactions. Notably, M&A negotiations remain commercially sensitive for 10+ years, while investment strategies retain competitive value. Financial services firms face average breach costs of $6.08 million, 22% higher than the global average. For instance, encrypted transaction data from a 2025 acquisition will reveal strategies competitors would pay millions to access when decrypted in 2035.

Government Agencies handle the highest-stakes data. TOP SECRET clearance decisions, strategic defense plans, and intelligence operations create consequences that cascade across decades. Subsequently, agent identities, weapons systems designs, and operational details collected in 2025 and decrypted in 2035 endanger lives, compromise missions, and weaken national defense.

Commercial Enterprises—even if you’re not in healthcare, finance, or government—face real risk. Consider that your 5-year product roadmap is valuable to competitors. Likewise, pricing negotiations reveal margins, while customer lists enable targeted poaching. In practice, a competitor decrypting your 2025 strategic plan in 2030 can build their counter-strategy before you even launch.

Compliance Deadlines Are Real

This isn’t just a security best practice. Rather, for many organizations, post-quantum migration is a compliance requirement with hard deadlines.

Specifically, the NSA’s Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) establishes a clear timeline for National Security Systems:


CNSA 2.0 Compliance Timeline: NSA-Mandated Migration Schedule for National Security Systems

CNSA 2.0 Timeline:

• 2025: Firmware and software signing begins transition to post-quantum algorithms
• 2027: New NSS acquisitions must support CNSA 2.0
• 2030: Traditional networking equipment (VPNs, routers, firewalls) must be PQC-compliant
• 2033: Web browsers, cloud services, and operating systems fully transitioned
• 2035: Complete quantum-resistant transition for all NSS

Notably, the NSA aims to make all National Security Systems quantum-resistant by 2035, with critical milestones beginning in 2025.

If you’re a government contractor, you must comply—or lose contracts. Moreover, if you’re in the supply chain of a contractor, requirements cascade down to you. Even if you’re not in defense, European and Asia-Pacific regulators are developing equivalent requirements. Consequently, CNSA 2.0 is becoming the de facto industry standard.

Furthermore, NSA expects all equipment transitions to be completed by December 31, 2030, well ahead of the 2035 deadline.

What Happens If You Wait

Lost Contracts: Government work increasingly requires CNSA 2.0 compliance. As a result, if you can’t certify compliance by 2027-2030, you’re disqualified from RFPs. Meanwhile, your competitors who started early win the work.

3-5x Higher Costs: Reactive migration costs exponentially more than proactive planning. Specifically, when quantum computers arrive and everyone scrambles, vendor support becomes premium-priced and scarce. Additionally, emergency migrations mean rushed decisions and compounding technical debt.

Data Liability: Data harvested today becomes tomorrow’s breach. Indeed, when quantum decryption becomes practical in 2030-2035, you’ll face the consequences of decisions you make now. This includes regulatory fines, lawsuits, and reputation damage.

Competitive Disadvantage: Early adopters market their quantum-readiness. As a result, they win enterprise customers with strict security requirements. Furthermore, they build crypto-agility into their architecture from the start. Meanwhile, late movers explain why they’re behind.

Technical Debt Compounds: Every new application, integration, and API built with vulnerable cryptography adds to your migration burden. Consequently, the longer you wait, the more systems require updating. In fact, technical debt doesn’t just accumulate—it multiplies exponentially.

The Quantum Computing Threat Landscape: How Harvest Now, Decrypt Later Works

How Quantum Computers Break Current Cryptography

Classical computers try to break RSA encryption through brute force—testing billions of combinations per second. However, the numbers are so large, it would take thousands of years. In contrast, quantum computers don’t brute force. Instead, they use Shor’s algorithm, which exploits quantum properties to factor large numbers exponentially faster. Consequently, what takes a classical computer thousands of years could take a quantum computer hours.

Think of it like searching a maze. Classical computers try every path sequentially. On the other hand, quantum computers explore all paths simultaneously through superposition and entanglement.

⚠️ What’s Vulnerable:

• RSA (all key sizes) – Used for: TLS, SSH, VPNs, email encryption
• ECDH/ECDSA (all curves including P-256, P-384, X25519) – Used for: TLS, cryptocurrencies, digital certificates
• DSA – Used for: Older systems, government applications

Why vulnerable: These algorithms rely on mathematical problems (integer factorization and discrete logarithm) that quantum computers can solve efficiently using Shor’s algorithm.

✅ What Remains Secure:

• AES-256 (symmetric encryption) – Quantum computers provide only quadratic speedup via Grover’s algorithm, meaning AES-256 effectively becomes AES-128—still secure for decades
• SHA-384/512 (hashing) – Increased output sizes maintain security margins

The Quantum Computer Timeline

As of 2025, the largest quantum computers have approximately 1,000 qubits from IBM and Google. However, these are “noisy” quantum computers where errors accumulate quickly, limiting computational complexity. According to IBM’s Quantum Computing roadmap, significant advances are expected in the coming years.

To break RSA-2048, experts estimate we need a Cryptographically Relevant Quantum Computer (CRQC) with:

• ~20 million noisy qubits, OR
• ~10,000 error-corrected logical qubits
• Stable enough to run Shor’s algorithm for hours

Expert Consensus Timeline:

• Optimistic: 2027-2030 (10% of experts)
• Median: 2030-2033 (50% of experts)
• Conservative: 2033-2035 (90% of experts)
• Outliers: After 2040 (5% of experts)

Notably, most organizations plan assuming 2030-2035 as the realistic window. Indeed, the cryptographic community calls this inflection point “Q-Day”—the day when quantum computers can break real-world encryption. While we don’t know exactly when Q-Day arrives, we know it’s coming.

The Three-Phase Harvest Now, Decrypt Later Attack Pattern

Understanding this quantum threat harvest now decrypt later attack is crucial because it changes how you think about risk. Importantly, this isn’t traditional breach behavior where attackers exploit vulnerabilities today. Rather, this is a patient, long-game strategy.

Phase 1: Collection (NOW – 2025-2030)

Adversaries passively intercept and store encrypted traffic. Notably, no intrusion is required—just listening on network paths, tapping undersea cables, or compromising internet service providers. Passive collection triggers no alerts. There’s no attempted decryption, no system compromise, and no evidence. Currently, nation-state actors, sophisticated criminal groups, and espionage organizations are doing this right now.

Phase 2: Storage (2025-2030)

They archive terabytes of encrypted data, waiting for quantum computing to mature. Significantly, storage is cheap—a petabyte costs ~$10,000. That’s 1,000,000 GB of your encrypted communications. Primarily, they’re targeting highest-value targets: government agencies, financial services, healthcare providers, defense contractors, and critical infrastructure operators.

Phase 3: Decryption (2030+)

Retroactively decrypt historical data when CRQC becomes available. Everything encrypted between 2025-2030 becomes readable in 2035. For example, your 2025 M&A negotiation emails? Decrypted in 2035. Patient medical records from 2027? Exposed in 2037. Similarly, classified strategic plans from 2028? Compromised in 2038.

💡 Key Insight

This patient, invisible threat is different from traditional breaches: No immediate detection (passive collection vs. active intrusion), No intrusion alerts (just listening vs. breaking in), Future vulnerability (current encryption breaks later), Long-term exposure (decades of data at risk), and Patient adversary (they can wait 10+ years).

Why This Is Different:

1. No immediate detection – Passive collection vs. active intrusion
2. No intrusion alerts – Just listening vs. breaking in
3. Future vulnerability – Current encryption breaks later
4. Long-term exposure – Decades of data at risk
5. Patient adversary – They can wait 10+ years

This patient, invisible threat is why Mosca’s Theorem is so important for planning your response.

Mosca’s Theorem: Calculate Your Risk

Dr. Michele Mosca, a quantum computing researcher at the University of Waterloo, developed a simple formula to determine if your organization should start migrating to post-quantum cryptography now.

MOSCA’S THEOREM

If: X + Y > Z, then you’re at risk

X = Data shelf life (how long must it stay secret?)

Y = Migration time (how long to upgrade systems?)

Z = Time until CRQC exists

If X + Y > Z, you need to START MIGRATION NOW

Let’s break down each variable:

X – Data Shelf Life: How long does your data need to remain confidential?

• Medical records: 30+ years (HIPAA requirements)
• Financial records: 10-15 years (regulatory retention)
• Trade secrets: 5-20 years (competitive lifespan)
• State secrets: 50+ years or forever
• Customer PII: Indefinite (identity theft risk never expires)

Y – Migration Time: How long will it realistically take to migrate all your systems?

• Small organization: 2-3 years
• Mid-size enterprise: 3-5 years
• Large enterprise: 5-7 years
• Complex legacy systems: 7-10 years

Z – Time Until CRQC: Most experts estimate 10 years (range: 5-15 years). For conservative planning, we use 10 years to CRQC arrival (2035).

Example: Large Hospital System

X = 30 years (medical record retention requirement)

Y = 5 years (time to migrate complex EHR, PACS, and laboratory systems)

Z = 10 years (conservative CRQC estimate)

CALCULATION:

X + Y = 30 + 5 = 35 years

Z = 10 years

35 > 10 ✗

VERDICT: START IMMEDIATELY

You need your data to stay secret for 35 years, but quantum computers arrive in 10 years. Clearly, you’ve already run out of time to wait. Consequently, migration must start now to protect data being encrypted today.

Decision Framework by Industry

Industry	Shelf Life (X)	Migration (Y)	CRQC (Z)	Status
Healthcare	30+ years	5 years	10 years	⚠️ URGENT
Financial	10-15 years	4 years	10 years	⚠️ HIGH PRIORITY
Government	50+ years	6 years	10 years	🚨 CRITICAL
Enterprise	5-10 years	3-4 years	10 years	⚠️ PRIORITY
Startup	2-5 years	2 years	10 years	✅ MONITOR

Decision Rules:

If X + Y > Z: Start migration immediately. Your data will be vulnerable before migration completes. Example: Healthcare (30 + 5 = 35 > 10) → Start NOW

If X + Y ≈ Z: Start migration within 1 year. You’re cutting it close. Indeed, any delays put you at risk. Example: Financial services (12 + 4 = 16 ≈ 10) → Plan for 2026 start

If X + Y < Z: Plan migration but less urgent. Nevertheless, you have breathing room but shouldn’t delay indefinitely. Example: Short-term data (3 + 2 = 5 < 10) → Begin planning, start 2027-2028

💡 Key Insight

Mosca’s Theorem reveals the counterintuitive truth: urgency isn’t determined by when quantum computers arrive—it’s determined by how long your data needs to stay secret and how long migration takes. For most organizations with sensitive data, you’ve already run out of time to wait.

Mosca’s Theorem reveals the counterintuitive truth: urgency isn’t determined by when quantum computers arrive—it’s determined by how long your data needs to stay secret and how long migration takes. For most organizations with sensitive data, the answer is clear: you’ve already run out of time to wait.

The “We’ll Wait Until Standards Mature” Trap

The most common response I hear from security teams: “We’ll wait until the standards are more mature, vendors have implementations ready, and the ecosystem has settled.” On the surface, this sounds prudent. However, it’s not. Here’s why that strategy fails.

1. Standards Are Already Finalized

NIST published FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) on August 13, 2024. Importantly, these aren’t drafts—they’re final, approved standards designed to protect against the quantum threat. In fact, the “wait for standards” excuse expired over 18 months ago.

Specifically, FIPS 203 specifies the Module-Lattice-Based Key-Encapsulation Mechanism Standard, derived from CRYSTALS-KYBER. Meanwhile, FIPS 204 specifies the Module-Lattice-Based Digital Signature Standard, derived from CRYSTALS-Dilithium.

2. Migration Takes 5-10 Years

This isn’t a software update you deploy over a weekend. Rather, enterprise migration takes years:

• Discovery: 6-12 months
• Planning: 6-12 months
• Pilot deployment: 6-12 months
• Production rollout: 2-5 years
• Long-tail legacy systems: 2-5 years

Total: 5-10 years for complete migration

3. Data Is Being Harvested Today

While you wait for “perfect” solutions, adversaries are executing the harvest now, decrypt later attack right now. Indeed, every day you delay is another day of encrypted traffic being collected. According to CISA’s quantum readiness guidance, that data will be vulnerable when quantum computers arrive—whether you’ve migrated or not.

4. Vendor Dependencies Extend Timeline

Even after you decide to migrate, you’re dependent on:

• Hardware vendors (firmware updates)
• Software vendors (application updates)
• Cloud providers (service upgrades)
• Certificate authorities (PKI transitions)

Consequently, these dependencies add 1-2 years to your timeline. While you can’t control vendor schedules, you can control when you start engaging them to protect against the harvest now, decrypt later threat.

The Reality

NIST standards are finalized. Furthermore, AWS, Google, and Cloudflare are already deploying post-quantum cryptography in production systems. Additionally, government mandates are in effect with hard deadlines. Clearly, the ecosystem has moved past the “research phase” to the “implementation phase.”

Waiting isn’t prudent—it’s falling behind. In reality, the question isn’t “should we wait for standards to mature?” Rather, it’s “how do we catch up with organizations that started in 2024?”

Bottom Line: The Quantum Threat Is Already Here

The quantum threat harvest now decrypt later attack isn’t coming—it’s already here. Specifically, data encrypted today with RSA or ECDSA will be vulnerable when quantum computers arrive in 2030-2035. As noted in NCSC’s quantum-safe cryptography guidance, organizations must act now.

With breach costs reaching $4.88 million on average and healthcare breaches hitting $9.77 million, the financial impact of delayed action compounds exponentially. Moreover, for most organizations with sensitive data, Mosca’s Theorem shows a stark reality: X + Y > Z. In other words, you’ve already run out of time to wait.

The NSA’s CNSA 2.0 establishes mandatory compliance deadlines starting in 2025, with full transition required by 2035 for National Security Systems. Furthermore, government contractors must comply or face disqualification. As a result, supply chain requirements cascade throughout the ecosystem.