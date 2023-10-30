The era of post-quantum encryption brings with it the looming threat of “harvest now, decrypt later” (HNDL) attacks. The concept is simple: adversaries collect encrypted data with the intention of decoding it once quantum computers are capable of breaking current encryption standards. While the fear of these attacks is well-founded, proving their existence is a challenge.

Various experts and cybersecurity analysts acknowledge the potential dangers of HNDL attacks, but few openly claim that they are already taking place. Colin Soutar, Deloitte’s quantum readiness leader, encourages organizations to focus on understanding their vulnerabilities and planning for quantum-readiness rather than attempting to predict the emergence of a cryptographically relevant quantum computer (CRQC) or assess the likelihood of HNDL attacks.

Robert Hannigan, chairman of security vendor BlueVoyant and former director of GCHQ, suggests that hostile actors may be acquiring large amounts of encrypted data for future decryption purposes. While stolen data is typically pursued for short-term financial gain, it is prudent to assume that it could be stored away attackers for decryption when quantum computers become a reality.

Andersen Cheng, founder of cybersecurity start-up Post-Quantum, asserts that HNDL attacks are indeed happening and that Western intelligence agencies have acknowledged their existence. He explains that these attacks can be executed diverting internet traffic through a border gateway protocol (BGP) hijack, allowing adversaries to collect encrypted data for future decryption.

While concrete evidence of HNDL attacks may be scarce, the potential risks they pose have spurred action. The US National Institute for Standards and Technology (NIST) is actively collaborating with cryptographers worldwide to develop post-quantum encryption standards that can withstand quantum computing capabilities. Additionally, legislation such as the Quantum Computing Cybersecurity Preparedness Act in the US has compelled federal agencies to prepare for post-quantum encryption standards.

