up:: The Threat MOC

Store-Now-Decrypt-Later Actor Landscape

The store-now-decrypt-later actor landscape is the honest answer to a fair question: who is actually recording encrypted traffic today to decrypt it once a quantum computer can break the key exchange that protected it? Harvest-now-decrypt-later only matters if someone is collecting, and the credible case rests on two grounded pillars rather than on naming specific operations, which nobody outside classified channels can prove. The first is that the U.S. government has stated in its own words that adversaries could be doing this now. The second is that the economics of bulk collection and long-term storage put the capability within reach of well-resourced actors, cheaply enough that it does not require a nation-state budget. This note stays on the structural case and cites where citation is possible.

Source: Quantum-Readiness: Migration to Post-Quantum Cryptography, CISA, NSA, and NIST joint factsheet, August 21, 2023.

The short version:

  • HNDL is only a real risk if collection is really happening, so the actor question is the load-bearing one under the whole harvest-now-decrypt-later argument.
  • U.S. federal agencies have stated plainly that threat actors “could be targeting data today” with long secrecy lifetimes using a “catch now, break later or harvest now, decrypt later” operation, which is authoritative confirmation the concern is taken seriously at the government level.
  • The strongest attribution class is well-resourced nation-state intelligence services, which have the passive-collection reach, the storage, and the mandate to hold traffic for decades.
  • The capability is not limited to nation-states, because cloud cold storage now costs a fraction of a cent per gigabyte per month, so warehousing large volumes of ciphertext is within reach of ordinary commercial and criminal actors.
  • Collection is passive and undetectable, so the absence of a public breach report is not evidence that harvesting is not happening, which is exactly what makes it a planning problem rather than an incident-response one.
  • The structural case is enough to act on. You do not need to know who is collecting to know which of your data is worth protecting from a future decryption.

Why frame this as a landscape instead of naming actors?

This is framed as a landscape because responsible analysis separates what can be sourced from what cannot, and specific harvesting operations sit almost entirely on the unprovable side. Naming a particular service and claiming it is recording a particular organization’s traffic is the kind of assertion that reads as confident and collapses under scrutiny, because the evidence lives in classified collection or is simply unknowable from the outside. Leaning on that kind of claim is what lets a skeptical executive wave the whole threat away as speculation.

The defensible move is to argue from structure. Two things can be established without any secret knowledge: that authoritative bodies treat the threat as present, and that the technical and economic barriers to harvesting are low. Those two facts are enough to justify prioritizing long-lived data for migration, and they hold regardless of which specific actor is or is not targeting you. The landscape framing keeps the argument on ground a regulator or a board can actually verify, which is where a security recommendation belongs.

What have government agencies actually said?

The clearest authoritative statement comes from the joint quantum-readiness factsheet published by CISA, the NSA, and NIST in August 2023, which put the harvesting concern in official language. In its own words, cyber threat actors “could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation.” That is a U.S. federal document naming the exact technique and treating it as a present-day reason to begin migration planning.

Source: Quantum-Readiness: Migration to Post-Quantum Cryptography, CISA, NSA, and NIST joint factsheet, Background section, August 21, 2023.

The point of citing the government here is to calibrate the claim rather than to alarm anyone. The agencies do not claim to have caught a specific harvesting operation in the act, and they phrase the risk carefully as something adversaries “could be” doing. That measured wording is a feature, because it matches the honest state of the evidence: the technique is credible, the motive is clear, and the collection is undetectable, so the authorities recommend acting on the possibility rather than waiting for proof that, by the nature of passive collection, may never arrive. This is the same reasoning that runs through the joint guidance as a whole.

Who has the capability and the motive?

The actors most plausibly running store-now-decrypt-later collection are the ones with reach, storage, patience, and a reason to want decades-old secrets. Sorting them by capability rather than by name keeps the analysis defensible:

Actor classCollection reachStorage and patienceMotive for decades-old secrets
Nation-state intelligence servicesPassive interception at scale, including backbone and submarine-cable accessEffectively unlimited horizon, mandate to archiveHigh: diplomatic, military, economic, and counterintelligence value that persists
Well-resourced criminal groupsTargeted interception, stolen encrypted backups, compromised infrastructureCheap cloud storage, growing patienceModerate: long-lived credentials, trade secrets, extortion material
Commercial and gray-market collectorsBulk traffic acquisition where legally or physically availableCheap cloud storageVariable: resale, analytics, future leverage

The nation-state class is the strongest fit on every axis, because passive bulk collection of internet traffic is an established intelligence discipline, the archives already exist, and the value of a foreign ministry’s or a defense contractor’s communications does not expire in a year. That combination of reach, storage, and long-horizon motive is what makes the nation-state case the sober center of the landscape, without needing to attach a country’s name to a specific stored dataset.

Why is nation-state harvesting the credible core of the threat?

Nation-state harvesting is the credible core because intelligence services already do the two things store-now-decrypt-later requires, and have for a long time. They collect encrypted traffic passively at scale as a routine part of their mission, and they retain material far longer than any commercial retention schedule, because an intelligence archive is built to be mined for years. Add a foreseeable future capability that unlocks that archive, and the incentive to keep collecting today is obvious: every session recorded now is a potential future read at effectively no marginal cost.

There is a well-documented historical precedent for exactly this pattern, which is why it is not hypothetical. During and after World War II, U.S. codebreakers intercepted and stored Soviet diplomatic and intelligence cables that were unreadable at the time, and years later the Venona project exploited a weakness in how the traffic was protected and began reading the backlog, exposing agents long after the messages were sent. That is store-now-decrypt-later in its purest form: collect while you cannot read, wait for a break, then read the archive retroactively. The quantum era changes only the nature of the break, from a key-reuse mistake to a quantum computer solving the public-key math, and the collection-and-wait behavior is the same discipline intelligence services have practiced for generations.

Source: NSA, “Venona” historical release; Simon Singh, The Code Book, 1999, chapter on Venona.

Doesn’t harvesting require a nation-state budget?

No, and that assumption is the most common reason the threat gets underestimated. The expensive-sounding parts of store-now-decrypt-later, the collection and the storage, have both fallen in cost to the point where a well-resourced non-state actor can participate. Cloud cold storage now runs a fraction of a cent per gigabyte per month, so warehousing very large volumes of recorded ciphertext for years is a modest operating expense rather than a national-scale investment. The barrier that used to make bulk harvesting the exclusive province of governments has largely eroded on the storage side.

The collection side is more constrained for non-state actors, since passive backbone interception really does favor entities with privileged network access, but it is not a hard wall. Stolen encrypted backups, compromised network appliances, malicious access at a hosting or transit provider, and targeted interception all put ciphertext in an attacker’s hands without a government’s reach. The honest read is a spectrum: nation-states have the broadest collection, but the storage economics mean the actor pool for opportunistic or targeted harvesting is wider than the nation-state-only framing suggests, so an organization with genuinely valuable long-lived data should not assume only governments are a threat.

What makes this hard to see, and why does that matter?

Store-now-decrypt-later is hard to see because collection is passive, which means it leaves no trace on the target’s systems. An attacker recording traffic in transit, copying an encrypted archive, or holding a stolen backup does nothing the victim can detect, and the decryption that would reveal the breach happens years later on the attacker’s own hardware. There is no intrusion alert, no exfiltration spike on the day that matters, and no breach notification, because from the target’s point of view nothing has visibly happened yet.

That invisibility has a direct consequence for how you reason about the risk. The absence of evidence that your traffic is being harvested is not evidence that it is safe, because a successful harvesting operation is precisely the one you never observe. This is why store-now-decrypt-later belongs in the planning column rather than the incident-response column, and why the defensible response is to protect data by its confidentiality lifetime rather than to wait for a detection that the threat model says will not come. The Mosca’s-theorem calculation exists exactly to convert this undetectable, future-tense risk into a present-day migration deadline.

Which of your data does this landscape put at risk?

The landscape sharpens the HNDL prioritization by pointing at the data these actors would actually want to keep. Store-now-decrypt-later collection is only worth the storage cost for information that still has value years after capture, so the risk concentrates on long-lived secrets rather than on ephemeral traffic:

  1. Long-secrecy-lifetime records. Health data, regulated financial records, legal strategy, and personal data with statutory retention are valuable for decades and are exactly what the federal factsheet points to.
  2. State and defense communications. Diplomatic, military, and intelligence-adjacent traffic is the classic nation-state harvesting target, with value that outlasts any current administration.
  3. Trade secrets and intellectual property. Formulas, designs, and source code hold competitive value long after the session that carried them, which is why economic espionage is a core motive.
  4. Long-lived credentials and keys. Secrets that stay valid for years let a future decryption unlock far more than the captured session itself.

The exposure runs through the public-key key-establishment that protects these sessions, RSA key transport, Diffie-Hellman, and ECDH, all of which fall to Shor’s algorithm. That harvesting exposure is measurable today: a 2026 survey of 8,443 real-world Nginx TLS configurations found 28.9% relied on RSA key exchange with no forward secrecy, so any session recorded against those endpoints can be decrypted retroactively once the server’s long-term key is recovered.

Source: Balaji et al., “Operationalising Post-Quantum TLS,” 2026, arXiv:2605.17955.

Common misconceptions

  • “Nobody can prove harvesting is happening, so it’s just fear.” Passive collection is undetectable by design, so demanding proof of a specific operation sets a bar the threat model guarantees you cannot meet. The credible case rests on federal assessments plus the economics of collection, both of which are verifiable.
  • “Only nation-states can harvest, so most organizations are safe.” Nation-states have the broadest reach, but cheap cloud storage puts warehousing ciphertext within reach of criminal and commercial actors too. Any organization with genuinely long-lived valuable data is a plausible target.
  • “If my traffic were being harvested, I would see a breach.” You would not. Collection leaves no trace on your systems, and the decryption happens years later on the attacker’s hardware. The absence of an alert says nothing about whether harvesting is underway.
  • “This is a future problem, so I can wait for the quantum computer.” The collection is a present-day activity, and waiting guarantees you finish migrating too late for anything already recorded. That is the Mosca argument, and it is why the actor landscape matters now.
  • “Harvesting means my AES-encrypted data is already at risk.” The exposure is in the public-key key exchange that Shor breaks, not the symmetric bulk encryption. AES-256 stays safe, so the fix is replacing the vulnerable key establishment, not the cipher.

Questions people ask

Is harvest-now-decrypt-later actually real, or is it hype? The collection behavior is real and old, documented as far back as the Venona era, and U.S. federal agencies state that adversaries could be doing it now with long-secrecy-lifetime data. What is uncertain is the exact scope, not whether the technique and motive exist.

Who is most likely harvesting encrypted data? Well-resourced nation-state intelligence services are the strongest fit, because they already collect traffic passively at scale and retain it for decades. The capability is not exclusive to them, though, given how cheap long-term storage has become.

Can you name the specific groups doing this? Not defensibly. Attributing a specific harvesting operation to a named actor requires classified evidence or is simply unknowable from outside, so the honest analysis argues from federal assessments and collection economics rather than from attribution.

If I can’t detect harvesting, how do I defend against it? By protecting data according to its confidentiality lifetime rather than waiting for a breach alert that will not come. Replace vulnerable key establishment with ML-KEM, usually through a hybrid step, and prioritize your longest-lived, highest-value data first.

Does harvesting require a government-scale budget? Not anymore for the storage side, which now costs a fraction of a cent per gigabyte per month. Broad passive collection still favors actors with privileged network access, but stolen backups and targeted interception widen the pool beyond nation-states.

How does this connect to Mosca’s theorem? The actor landscape establishes that collection is plausible and present, which is what makes the Mosca inequality bite: if your data’s secrecy lifetime plus your migration time exceeds the time until a quantum computer arrives, harvested traffic is at risk now, regardless of which actor holds it.

Go deeper

The risk this landscape underpins: Harvest Now, Decrypt Later (HNDL) is the full treatment of the harvesting risk, and Non-HNDL is the separate trust-forgery risk on a later clock.

The timing and the machine: Mosca’s Theorem turns the undetectable risk into a deadline, Quantum Threat Timeline supplies the arrival band, and Cryptographically Relevant Quantum Computer (CRQC) is the machine the collection waits for.

The federal framing and the fix: CISA NSA NIST Quantum-Readiness Joint Guidance is the joint factsheet quoted above, and TLS 1.3 Hybrid Key Exchange and Forward Secrecy are where the practical mitigation begins.


Everything here is the map, given freely. When your team needs the harvesting risk turned into a prioritized, defensible migration queue for your own long-lived data, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.