Close

New Research from CDW on Workplace Friction

Learn how IT leaders are working to build a frictionless enterprise.

Jul 01 2026
Security

Harvest Now, Decrypt Later: A Quantum Threat for Federal Agencies

Quantum computers can't break today’s encryption yet, but adversaries are stockpiling encrypted federal data now to decrypt later. Here’s what agencies need to know and do before Q-Day arrives.

It’s understood that adversarial states are harvesting American data, anywhere they can get to it. No worries, though: It’s all encrypted, right?

But soon, that encryption may no longer be enough.

Quantum computing will soon be able to break current encryption models. The “harvest now, decrypt later” (HNDL) strategy is laying the groundwork for that, with state actors gathering data today so they can exploit it once quantum computing makes decryption possible.

What Is a Harvest Now, Decrypt Later Attack?

The quantum threat looms large in the federal space.

“We don’t have a quantum computer today that we know of that could decrypt or break the cryptography that we use to safeguard information” — but it’s coming soon, says Andy Smith, a certified instructor for the SANS Institute who teaches defensible security architecture and engineering.

In HNDL, “an adversary collects massive amounts of encrypted data they believe will be extremely valuable when that data can be decrypted in the future by powerful new computing platforms, such as the anticipated arrival of quantum computers,” says Greg Touhill, who teaches cyber risk management at Carnegie Mellon University’s Heinz College.

That arrival could happen soon. “The rule of thumb at the moment is probably mid-to-late 2030s,” Smith says. “But who knows? A big development could bring that forward.”

An HNDL attack “involves adversaries who will capture information that is sensitive today, in its encrypted form, and just basically keep it … until such time as a crypto-analytically relevant quantum computer is created,” Smith says.

Click the banner below to learn how federal agencies can boost security against threats.

 

The Federal Data Most at Risk: Defense, Intelligence and Long-Lived Citizen Records

To understand what data is at risk, it’s helpful to know who’s looking to quantum-exploit federal data.

First, “they’re going to be the adversaries who can get their hands on some of that encrypted data in the first place,” Smith says. “Second, they’ve got the means to store such large quantities of data for a long time.”

This points to nation-state adversaries, who will be looking to exploit a range of federal data.

“Most people tend to think the most valuable data at risk are related to defense, intelligence or citizen records,” Touhill says. And while that may be true, those organizations are also “among the most mature and proactive organizations in migrating to a post-quantum cryptography capability.”

Other less well-funded departments and agencies may have a higher degree of risk, including those holding data “related to financial and economic information, regulatory deliberations, law enforcement, intellectual property, market trends, agriculture, strategic materials [and] citizen privacy,” he says.

That puts virtually every federal agency in the crosshairs.

GET IT RIGHT: Zero-trust architecture for security and governance.

The Policy Landscape: NSM-10 and CISA’s Push Toward Post-Quantum Readiness

There’s urgency around achieving quantum-resistant encryption. “We know what the worst-case scenario looks like and are in a race to reduce our national risk exposure,” Touhill says. “Now is the time to act with velocity and precision.”

To that end, various federal entities have begun issuing guidance to steer agencies toward a safer place in the face of the HNDL threat.

National Security Memorandum 10, or NSM-10, spelled out “a big, broad policy directive around building out a cryptographic inventory, regularly reporting on cryptographic posture, and starting to then do that migration on a prioritized basis, with a goal of achieving as much migration as possible by 2035,” Smith says.

Beyond that general directive, “we see more specific guidance, more technical guidance, coming out from the likes of CISA and NIST,” he says. In particular, the NIST post-quantum strategy looks to phase out some current algorithms by 2030, fully disallowing them by 2035.

Greg Touhill
We know what the worst-case scenario looks like and are in a race to reduce our national risk exposure.”

Greg Touhill Professor, Carnegie Mellon University’s Heinz College

Crypto Inventory and Agility: Why Knowing What You’re Encrypting Is Step One

Federal agencies need to know their current cryptographic posture, and that promises to be a major lift. “The amount of data at risk is enormous and growing at exponential rates — estimated to grow by over 200 zettabytes per year. That is over 685TB for every American,” Touhill says.

To tackle the scale of the threat, agencies will need both a crypto inventory, and an approach that embraces maximum agility.

Creating a crypto inventory is about understanding what cryptography you have and where it lives. “Without that, you don’t know how big the problem space actually is,” Smith says. “You don’t know how much work you’ve got to do. Having that inventory also really helps you to prioritize the migration, based on: Where is our highest risk data? Obviously, the highest risk data should be migrated first.”

Agility here refers to the ability to change course easily. That’s going to be a necessary approach, given the complexity of the task. “Realistically, we’re going to have to make multiple changes as part of this migration,” Smith says.

Agility is a must-have here, since “some of the standards that we need to adhere to haven’t actually been finalized yet,” he says. Post-quantum readiness is a moving target, and agencies will need to stay flexible.

An Action Plan for Federal IT Leaders: Starting PQC Migration Before Q-Day Arrives

Some federal agencies are already moving ahead. “The preparation for post quantum has been around for a while, and it’s been on our strategic roadmap for a while,” said Maureen Falvella, acting chief information officer at the National Institutes of Health, who spoke at a recent AFCEA Health IT Summit.

Agencies can go one of two routes here.

“You’ve got the bottom-up approach, which is: Let’s inventory absolutely everything and then look to do some of the prioritization and migration,” Smith says. “Alternatively, you can do some prioritization first, and then really focus in on the systems that are a higher risk.”

He recommends the top-down approach. “I don’t think that you have to start off by inventorying absolutely everything in your organization,” he says. Agencies instead may find it makes more sense to focus on identifying the highest-value, highest-risk data and to tackle those first.

gorodenkoff/Getty Images