‘Harvest Now, Decrypt Later’ Attacks Push Federal Shift to PQC

Federal agencies must rethink their encryption strategies as a growing wave of “harvest now, decrypt later” attacks signal rising long-term risk.

Prathibha Rama, computer engineer at The Johns Hopkins University Applied Physics Laboratory, said the long-anticipated “Q-Day” — when quantum computers can break public key encryption — is drawing closer.

“We’ve been lucky with systems like Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) for a long period of time. We’ve been resting on the laurels of these crypto systems since they first came out. But we’re going into a paradigm shift, and we should really prepare for it early,” Rama said last week at GovCIO Media & Research’s CyberScape: The Federal Cybersecurity Summit.

Rama said cybersecurity leaders do not need to panic about Q-Day, but should recognize the urgency. In “harvest now, decrypt later” attacks, threat actors collect encrypted data today with the expectation that future quantum capabilities will allow them to decrypt it, potentially exposing sensitive government and critical infrastructure data.

“If you’re an organization that relies on integrity even more than confidentiality, those are a lot of systems that you should look to update,” she said.

The White House’s June 2025 executive order on strengthening the nation’s cybersecurity frames PQC as a national security priority and directs agencies to begin a structured transition.

“To prepare for transition to PQC, the Director of the National Security Agency with respect to National Security Systems (NSS), and the Director of OMB with respect to non-NSS, shall each issue requirements for agencies to support, as soon as practicable, but not later than January 2, 2030,” according to the directive.

Rama said leaders who have not started migrating should begin by inventorying where cryptography is used, identifying the types in use and understanding data lifecycle requirements.

“Those are the things that you want to figure out how to prioritize within your system. This is also a really good time to start looking at who your vendors are and who’s in your supply chain,” Rama said.

Starting with smaller components can help agencies avoid operational disruptions, she added, but vendors will ultimately need to migrate to PQC to ensure a secure supply chain.

“We already have computers in existence right now. It’s hard for the qubits to be stable, but it’s around the corner. So make sure that other people within your supply chain and your vendors are aware of that. If they’re not willing to update, then take your business elsewhere,” said Rama.