The ABCs of Harvest and Decrypt


As large-scale quantum computing inches ever closer, the urgency to protect our digital assets now from future threats is growing. Around the world, organizations of all kinds are being strongly encouraged to start preparing for quantum-capable adversaries. And for several very good reasons.

If you’re familiar with the quantum-threat to cryptography, you’ve likely heard that current encryption algorithms are vulnerable to quantum computing attacks. You may have come across discussions about post-quantum cryptography standards. And perhaps you’ve heard that today’s encrypted data could be at risk from tomorrow’s quantum-enabled attackers.

In this blog, I want to focus on that third point, the risk to today’s encrypted data. Usually, discussion about this topic doesn’t get much deeper than "Your data is at risk. Fix that with post-quantum cryptography." In this, I want to take a step back, look at the bigger picture, and properly explain why the urgency is so great. Most importantly, I want to remind you that there are concrete actions you can take today to mitigate your risk in the future.

Ready? Then let’s discuss the ABCs of Harvest and Decrypt.

Knowledge is Power: Why Data is a Target
It’s no secret that data is one of the most valuable assets in today’s digital world. Companies pay billions for insights on consumer shopping habits, market intelligence reports, crop yield predictions, and strategic intelligence. Predictive models powered by Big Data have given many companies competitive advantage and have helped shape their corporate strategies and decision-making processes. Data drives everything from pricing decisions for goods and services and product development to global supply chains and military strategy. Our world runs on data.

Given how valuable data is, it comes as no surprise that threat actors relentlessly seek to acquire it by illicit means. Even if they don’t use it themselves, they know it is valuable to the organizations that control it. If an organization loses control of its data, it will often pay to regain it, as evidenced by the global rise in ransomware attacks.

In other words, if your data has value — to you or to someone else — threat actors have an incentive to gain control of it.

Encryption: Our Best Defense
Encryption means confidentiality. It is the backbone of data security. Public-key cryptography (PKC) enables secure digital communication, global business operations, and electronic financial transactions. Today, PKC is a critical enabler of the global economy. Without PKC, trillions of dollars in economic activity would be at risk.

At its core, encryption ensures that only authorized recipients can read protected data. For everyone else, it’s meaningless gibberish. Quantum computing threatens to change that.

The Quantum Threat to Public-Key Cryptography

The bottom line is that the PKC driving the global digital economy is under threat. The digital economy relies on encryption algorithms that are implausible to break with conventional computers. But quantum computers will eventually render these protections obsolete. When that happens, threat actors will be able to decrypt any data secured by today’s public-key encryption.

Enter Harvest and Decrypt.

Also known as Harvest-Now, Decrypt-Later or Store-Now, Decrypt-Later, this attack strategy involves intercepting and storing encrypted data now with the intent to decrypt it once a powerful enough quantum computer becomes available. Make no mistake, this data harvesting is happening right now by threat actors around the globe.
 
What Happens if My Data is Harvested Today?
The best-case scenario? Your encrypted data will have no value when Cryptographically Relevant Quantum Computers (CRQCs) emerge. Meaning, threat actors gain nothing by decrypting it in the future.

The worst case? Your organization’s most sensitive information — the crown jewels — will still be valuable, making it an attractive target for exploitation. This is why it is imperative for organizations to understand the time-value of their data assets today. Organizations should be asking:

  • What data assets do we have?
  • What will be the value of our data assets in 10, 20, or 30 years? 
  • What would a threat actor do with this data?
  • What would the impact be if this data were exposed?

In general, there are five options: sell the data to competitors, expose it to damage reputation or disrupt operations, use it to compete against you, use it for extortion (e.g., blackmail or ransom), or simply use it to cause chaos and confusion.

What Type of Data is Being Harvested?
When we think of Harvest and Decrypt, we tend to think of legal documents, financial data, sensitive customer information — like Protected Health Information (PHI) or Personally Identifiable Information (PII) — or any data where there are legal, regulatory, or contractual obligations to secure it for many years. And indeed, if such data were exposed, the financial and reputational harm to the organization is potentially lethal. Any data with long-term protection requirements must be identified and secured with post-quantum cryptography (PQC) today.

But it doesn’t stop there. Think about what might happen if quantum-capable threat actors revealed your organization’s trade secrets, long-term strategic planning documents, private internal communications, competitive analysis documents, market research, or any other kind of data which yields competitive advantage. How much time and investment went into gathering that information? What is the impact if it were suddenly revealed to the public, or sold to an unscrupulous and unethical competitor?

Lastly, it isn’t only the data you already have that is at risk. The data you generate tomorrow is also vulnerable (unless protected with PQC). This means that organizations need to be forward looking and consider today how to protect the valuable data they won’t have until the future.
 
How Is the Data Being Harvested?
Motivated threat actors employ a range of techniques to intercept encrypted data. Many of the techniques will be deeply sophisticated and hard to detect. However, here are some of the techniques to be aware of:

  • Rerouting internet traffic — BGP hijacking
  • Mass harvesting of communications — through compromise of communications infrastructure
  • Targeted harvesting — targeting a specific individual or organization
  • Event-based harvesting — targeting an industry or government conference
  • Location-based harvesting — at an airport, hotel, or other commercial establishment
  • Encrypted storage media — accessing improperly sanitized hard drives and tapes or copying encrypted snapshots and backups 

How Do I Limit My Risk? 6 Actions to Take Now
The top priority is proactive action. Assess your organization's cryptographic posture, identify quantum vulnerabilities, and develop a comprehensive remediation plan.

  1. Identify, classify, and catalogue critical data — Determine which assets require long-term protection.
  2. Evaluate your data’s time value — Consider how long it must remain secure and how threat actors might exploit it.
  3. Review and update security policies — Ensure they align with quantum-safe practices.
  4. Implement quantum-safe encryption — Apply PQC where necessary to safeguard sensitive data.
  5. Secure new data from the start — Integrate PQC into all data-handling processes.
  6. Collaborate across your ecosystem — Work with customers, partners, suppliers, and vendors to ensure end-to-end data protection.

By taking these steps now, organizations can mitigate the risks of Harvest-Now, Decrypt-Later attacks and safeguard their most valuable assets before quantum threats emerge. If your organization’s data will still be valuable in the future, there’s probable cause for concern today. The only way to stay ahead of the threat is to start planning now.

We can help. Contact us today to learn more about how our ISARA Advance solution will assess your cryptographic posture, identify your quantum-vulnerabilities, and set you on the path to long-term data security.