Adversaries are collecting your encrypted communications today — traffic they cannot yet read, filed away against the day a quantum computer makes them legible. That day is not guaranteed to arrive by 2030. It is, however, close enough that the window for an orderly migration is already narrowing. The question is no longer whether to act. It is whether organisations will act before the data they are generating today becomes tomorrow’s intelligence bonanza.
By Vladimir Tsakanyan, PhD · Center for Cyber Diplomacy and International Security · cybercenter.space
Consider a classified diplomatic cable, encrypted today with RSA-2048 and transmitted between two allied foreign ministries. The communication contains negotiating positions that will remain sensitive for the next fifteen to twenty years. A sophisticated state-linked actor intercepts and stores a copy of the encrypted traffic tonight. They cannot read it. Not yet. But they archive it with patience and institutional memory that most democratic governments cannot match — and they wait. In 2033 or 2034, if the trajectory of quantum hardware development holds, they feed the file into a cryptographically relevant quantum computer running Shor’s algorithm. The contents, encrypted with all the care that current best practice demands, are decrypted in hours.
This is not a thought experiment. It is an operational reality that intelligence agencies in the United States, the United Kingdom, and Germany have all, in the past two years, confirmed is already underway. Adversaries — assessed to include China’s state intelligence apparatus, and potentially others — are exfiltrating encrypted data at scale, not because they can read it now, but because they have calculated that the investment in storage is worth the eventual return. The attack has a name: harvest now, decrypt later. It is happening in the present tense, against data that most organisations do not yet classify as compromised, because the compromise has not yet been realised.
This temporal structure — an attack whose effects are deferred — is the central reason that HNDL has received less organisational attention than its strategic significance demands. Security teams are, quite reasonably, calibrated to respond to threats that produce immediate, observable effects. An adversary that steals data you cannot yet read does not trigger incident response. It does not generate an alert. It does not appear in a threat intelligence feed as an active compromise. It appears, years later, in a diplomatic crisis, a commercial disadvantage, or an intelligence assessment that concludes, with uncomfortable precision, that your negotiating position was known before you sat down at the table.
The Quantum Timeline — and Why It Is the Wrong Question
Discussions of post-quantum cryptography are reliably derailed by arguments about timing: how long until a cryptographically relevant quantum computer — a machine capable of running Shor’s algorithm against RSA-2048 at operationally meaningful scale — actually exists? The estimates span a wide range. Google’s Willow chip, demonstrated in December 2024, and Microsoft’s topological qubit announcement of February 2025 both represent genuine engineering milestones. They do not represent the arrival of a CRQC. Most credible technical assessments place that threshold somewhere between 2030 and 2040, with meaningful uncertainty in both directions. One in three cybersecurity experts, surveyed in the 2024 Quantum Threat Timeline Report, forecast Q-Day before 2032.
The timeline debate, however, systematically obscures the more operationally relevant question, which is not when quantum computers will break current encryption, but when organisations need to have completed their migration to quantum-resistant cryptography. These are not the same question, and the gap between them is where organisations consistently lose years they cannot afford to lose.
NIST’s IR 8547 transition framework makes the arithmetic explicit. If a cryptographically relevant quantum computer arrives in, say, 2033, and a full PQC migration for a large, complex organisation takes seven to ten years to complete — a realistic estimate given the scope of a cryptographic inventory, the complexity of algorithm substitution across distributed systems, the hardware refresh cycle required to support new standards, and the vendor timelines for PQC-capable HSMs — then an organisation that has not begun its migration by 2026 is already at risk of running out of runway. NIST’s own deadline for federal systems is 2035, with national security systems required to comply under CNSA 2.0 by 2030. The implication for data with long-term confidentiality requirements is that the relevant deadline is not Q-Day. It is today.
Analyst note
The governance challenge embedded in HNDL is precisely its temporality. It is structurally similar to the challenge of climate risk disclosure: the consequences of inaction are real, material, and analytically predictable, but they are separated from the decision point by an interval long enough to make deferral individually rational even when it is collectively catastrophic. Organisations that do not begin PQC migration in 2026 are making a gamble on Q-Day timing that they are not, in most cases, acknowledging as a gamble. They are, instead, not thinking about it — which is a different and considerably more dangerous condition.
What NIST Has Built — and What It Requires
August 2024 marked a genuine inflection point. After eight years of international competition involving cryptographers, mathematicians, and security researchers from dozens of countries, NIST finalised its first three post-quantum cryptographic standards: ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism, derived from CRYSTALS-KYBER), ML-DSA (Module-Lattice-Based Digital Signature Algorithm), and SLH-DSA (Stateless Hash-Based Digital Signature Standard). A fourth standard, HQC — a code-based key encapsulation mechanism designed as a backup to ML-KEM in the event of an unforeseen lattice-based vulnerability — was selected for standardisation in March 2025, with finalisation expected in 2026 or 2027.
These are not provisional or experimental specifications. They represent the output of an open, adversarially tested, internationally scrutinised standardisation process of exceptional rigour. The algorithms have survived sustained cryptanalytic attention from the global research community. Organisations can proceed with confidence in their mathematical foundations. The questions that remain are operational, not theoretical: how to conduct a comprehensive cryptographic inventory, how to prioritise migration across a complex and heterogeneous technology stack, and how to manage the transition period in which classical and post-quantum algorithms must coexist.
By early 2026, the deployment signals are measurable. Cloudflare reported that more than half of human-initiated web traffic passing through its infrastructure used post-quantum key agreement by late October 2025 — a milestone driven primarily by the adoption of ML-KEM in TLS key exchange by major browser and server vendors. This is encouraging at the infrastructure layer. It does not address the deeper problem: the vast majority of enterprise organisations remain in what analysts charitably describe as “preparation mode” — aware of the requirement, without a formal migration plan, and generating new cryptographic debt daily on systems being built or procured right now with classical algorithms that will require replacement.
A system built in 2026 with hardcoded RSA-2048 will require a code rewrite for migration. A system built in 2026 with algorithm-agile design can migrate by updating a configuration file. The architectural choice being made today will determine the cost of the transition tomorrow.
The Encryption Backdoor Problem — Still Unresolved
Post-quantum cryptography does not exist in a political vacuum. The migration to quantum-resistant algorithms is occurring against the backdrop of a decade-long policy dispute that has not been resolved, has not gone away, and is directly relevant to the security guarantees that PQC can actually deliver: the question of government-mandated encryption backdoors.
The FBI’s longstanding position — that end-to-end encrypted communications must be accessible to law enforcement through some form of lawful access mechanism — has not changed with the arrival of PQC standards. Nor has the technical reality that any such mechanism constitutes a structural vulnerability exploitable by adversaries who need not respect the legal constraints under which it was designed. The Salt Typhoon compromise of US telecommunications infrastructure in 2024, in which Chinese state-linked actors gained persistent access to networks that included lawful intercept capabilities, demonstrated with operational precision what cryptographers have argued theoretically for thirty years: a backdoor for one is a backdoor for all.
The relevance to post-quantum cryptography is direct. A migration to ML-KEM and ML-DSA that includes a government-accessible key escrow or lawful intercept mechanism does not deliver quantum-resistant security. It delivers quantum-resistant encryption with a classically exploitable vulnerability stitched into its architecture. The political pressure for such mechanisms has not diminished in proportion to the technical arguments against them — and the arrival of stronger encryption standards historically intensifies rather than resolves the law enforcement access debate.
Analyst note
The geopolitics of post-quantum advantage deserve more analytical attention than they have received in the mainstream policy debate. If one state achieves a cryptographically relevant quantum capability significantly ahead of others — and maintains that advantage in operational secrecy for even a limited window — the intelligence implications are not incremental. They are transformative. Fifteen years of adversary diplomatic traffic, decrypted retroactively, would constitute an intelligence advantage without historical precedent in the modern era. This is not a hypothetical that can be safely bracketed as long-term. It is the strategic logic that explains why China’s quantum computing investment has been assessed, by multiple Western intelligence agencies, as a national security priority of the first order.
A Migration Framework: What Organisations Must Begin Now
The policy recommendation that emerges from this analysis is straightforward in outline, demanding in execution, and — unlike most cybersecurity governance problems — one where the technical path is genuinely clear. NIST has done the hard work. The standards exist. The question is organisational will and prioritisation.
Migration priorities — in order of urgency
- Conduct a cryptographic inventory. You cannot migrate what you have not mapped. Every system, protocol, and data store that relies on RSA, ECC, or Diffie-Hellman key exchange must be identified, catalogued, and prioritised by data sensitivity and exposure window. This is the step most organisations have not taken, and it is the prerequisite for everything that follows.
- Prioritise long-lived, high-sensitivity data first. Diplomatic communications, intellectual property, healthcare records, financial data, and anything transmitted regularly over public networks faces the highest HNDL exposure. These datasets must be re-encrypted under quantum-resistant schemes as a matter of urgency, irrespective of broader migration timelines.
- Begin hybrid deployments on TLS and key exchange. Running ML-KEM alongside ECDH in parallel — so that both must be broken to compromise a session — is the current best practice for the transition period. Major infrastructure providers already support this. Enterprise adoption lags significantly.
- Build for crypto agility from this point forward. Any system architected or procured in 2026 with hardcoded classical algorithms is generating technical debt with a known and foreseeable due date. Algorithm-agile design — where cryptographic primitives are abstracted and configurable rather than embedded in business logic — is not a future requirement. It is a present one.
- Verify HSM compatibility. Hardware security modules that do not support ML-KEM or ML-DSA will require replacement. Vendor timelines for PQC-capable HSMs run through 2025 and 2026. This is a hardware procurement cycle that cannot be compressed at short notice — begin the assessment now.
- Engage the supply chain. Federal contractors and defence suppliers face CNSA 2.0 compliance deadlines beginning January 2027. The supply chain pressure extends beyond direct contractors to any organisation with significant federal relationships. Vendors may shortly be required to produce cryptographic bills of materials — organisations should be prepared to demonstrate PQC compliance, not merely plan for it.
None of this is technically exotic. The algorithms are standardised, the migration guidance is detailed and publicly available, and the threat logic is well understood by anyone who has engaged seriously with the intelligence assessments of the past three years. The obstacle is not knowledge. It is the same obstacle that characterises most long-horizon security investment decisions: the cost of action is immediate, visible, and falls on the current budget cycle, while the cost of inaction is deferred, diffuse, and will fall on a future leadership team managing a crisis whose origins lie in decisions made in 2026.
The encrypted data being generated today will still exist in 2034. So will the adversaries who have been collecting it.
Bottom line assessment
The harvest now, decrypt later threat is not a warning about the future. It is a description of operations already underway, against data already in adversary archives, awaiting a quantum key that most credible analyses suggest will arrive within the decade. NIST published its first PQC standards in August 2024. The migration window that those standards open is real — but it is not unlimited. Organisations that begin their cryptographic inventory, prioritise long-lived sensitive data, and adopt crypto-agile design principles in 2026 will complete their migrations before Q-Day with margin to spare. Organisations that defer will complete them after — if they complete them at all. The political and commercial pressure to treat post-quantum cryptography as a future problem is understandable, intellectually comfortable, and operationally catastrophic. The attack is already happening. The only question is whether the decryption key will arrive before or after the migration is complete.
Post-Quantum Cryptography HNDL NIST PQC Encryption Policy Quantum Security Cyber Diplomacy National Security Vladimir Tsakanyan
Leave a comment