up:: The Threat MOC

The No-Warning Problem

The no-warning problem is the reason you can’t wait for an announcement that quantum computers have broken encryption, because the arrival of a cryptographically relevant quantum computer is unlikely to be publicly declared, and an adversary who reaches that capability first has every incentive to keep it secret and use it quietly. Cryptanalytic breakthroughs have historically been among the most closely guarded of all secrets, held by the intelligence agencies most likely to build a CRQC, so the base case is that the capability appears in classified use well before it appears in a headline. That forces a specific discipline: you plan your migration against Mosca’s theorem and the timing math, not against the news, because the news is the one input the threat is structured to withhold.

The short version:

  1. A working code-breaking quantum computer is unlikely to be announced, because the first party to reach it, most likely a nation-state intelligence program, gains the most by keeping it secret and reading traffic quietly.
  2. Cryptanalytic capability has historically been one of the most classified secrets a state holds, so a real gap between classified and public capability is the expected case, not a conspiracy theory.
  3. Harvest-now-decrypt-later means the damage can begin before any breakthrough is even usable at scale, because harvested data sits waiting for the day the capability exists.
  4. Waiting for confirmation is structurally too late, since by the time a break is public the window to protect long-lived data has already closed for anything already harvested.
  5. The rational response is to act on Mosca’s timing, which is your data’s confidentiality lifetime plus your migration time against the threat horizon, rather than on a warning that may never come.

Think of it like a locksmith somewhere quietly learning to open a lock that millions of homes use, and having every reason to say nothing. If word gets out, everyone changes their locks and the skill becomes worthless, so the smart move for whoever learns it first is to stay silent and let themselves into the houses that matter, one at a time, leaving no sign. You’d never get a bulletin telling you the lock was broken. The only safe assumption is that a lock this valuable could already be open to someone, and the only sane response is to change your own lock on your own schedule, before you have proof you needed to.

Will anyone announce when quantum breaks encryption?

Almost certainly not, because the party most likely to get there first has the strongest possible reason to keep quiet. A CRQC is expected to emerge from a well-resourced national program, and cryptanalytic capability is the kind of advantage that evaporates the moment it’s disclosed. If an intelligence service could read the encrypted traffic of rivals, adversaries, and targets, announcing that ability would immediately trigger a global scramble to post-quantum algorithms and destroy the advantage overnight. The incentive structure points hard toward secrecy.

That’s not speculation about any specific actor, it’s the logic of how valuable cryptanalytic secrets have always been treated. History shows that when a state gains the ability to read protected communications, it guards that ability obsessively and exploits it silently for as long as it can, precisely because the value lives entirely in the target not knowing. A public “quantum has broken RSA” announcement is the one thing an adversary with that capability would work hardest to avoid, so building a migration plan that waits for it is building on the one disclosure the threat is designed to suppress.

The historical record backs this directly. Public-key cryptography itself was invented inside the UK’s GCHQ by James Ellis, Clifford Cocks, and Malcolm Williamson between 1970 and 1974, and the British government held that work classified until 1997, more than two decades later and long after the same ideas were independently rediscovered and published in the open. When a state gains a cryptographic advantage, the documented pattern is to keep it secret for as long as the secrecy pays, which is the base case this note assumes.

Source: National Security Agency, “Clifford Cocks, James Ellis, and Malcolm Williamson,” Cryptologic History, NSA.

What is the classified-versus-public capability gap?

The classified-versus-public capability gap is the difference between what the most advanced secret programs can do and what the open scientific literature has demonstrated, and it means public benchmarks are a floor on capability rather than a ceiling. The quantum-computing progress reported in journals and press releases reflects what academic and commercial labs can show openly. It says little about what a classified program with a far larger budget and no obligation to publish may have achieved, and there’s no reliable way from the outside to measure that gap.

The consequence for planning is that public milestones understate the risk in a specific direction. When the open literature shows a machine still short of breaking RSA, that tells you the public frontier hasn’t arrived, and it doesn’t tell you the classified frontier hasn’t. The gap could be small or large, and the honest position is that it’s unknown and unmeasurable from outside. This is exactly why the discipline of reading quantum progress matters for calibrating the public timeline, and why even a well-calibrated read of the public timeline can’t rule out a classified capability running ahead of it. Public progress bounds what you can see, not what exists.

Why does harvest-now-decrypt-later make the no-warning problem worse?

Because harvest-now-decrypt-later decouples the harm from the announcement entirely, so the damage can already be underway before any capability is usable, let alone public. An adversary doesn’t need a working CRQC to start hurting you. They need only to copy your encrypted long-lived data now and store it, which the actors with the resources to build a CRQC are precisely positioned to do at scale.

That turns the no-warning problem from a future risk into a present one. The moment your sensitive, long-lived data crosses a network in a quantum-vulnerable algorithm, it may already be in an archive waiting for a decryption capability that will never be announced. By the time the capability exists, the collection happened years earlier, so there was never a warning to act on and never a moment when protecting that already-copied data was still possible. The harvest is silent, the capability is silent, and the decryption is silent, which is three layers of no warning stacked on the same data.

How do you plan against a threat with no warning?

You plan against the timing math instead of the news, because the timing math is knowable and the news is the one input the threat withholds. Mosca’s theorem gives the whole decision in one comparison, and it’s built to work without ever knowing the exact arrival date.

  1. Measure your data’s confidentiality lifetime. How many years must this data stay secret? Health records, financial data, state secrets, and long-term contracts can carry lifetimes of decades, which is what puts them in the harvest window today.
  2. Measure your migration time. How many years will it take to find and replace the quantum-vulnerable cryptography protecting that data, across the whole estate? Discovery and replacement for a large organization run to years.
  3. Compare the sum to the threat horizon. If your confidentiality lifetime plus your migration time is greater than the years until a CRQC could plausibly exist, you’re already behind, and you’re behind whether or not anyone ever announces the machine.

The table contrasts the two ways to trigger a migration, which is what makes the case for planning on timing rather than news.

Waiting for the announcementPlanning on Mosca’s timing
TriggerA public confirmation that quantum broke encryptionYour confidentiality lifetime plus migration time exceeding the threat horizon
Availability of the triggerUnlikely, since the first party to the capability gains most by silenceAlways available, because both timescales are knowable now
Timing relative to harmAfter harvested data is already exposedBefore the window closes on long-lived data
RobustnessFails if the capability is kept secretWorks whether or not the capability is ever announced

The power of framing it this way is that it removes the announcement from the decision. The exact year the CRQC arrives can stay unknown, and a warning becomes unnecessary, because the moment your two knowable timescales overlap the threat horizon, the rational move is to start migrating now. Planning on Mosca’s timing is how you make a decision that’s robust to the one thing you’ll never be told, which is when the capability actually arrived.

This is also the posture the authorities themselves recommend. The joint guidance from CISA, the NSA, and NIST directs organizations to begin quantum-readiness now, building a migration roadmap and a cryptographic inventory ahead of any confirmed threat, rather than waiting for a triggering event that may never be public.

Source: CISA, NSA, and NIST, “Quantum-Readiness: Migration to Post-Quantum Cryptography,” August 2023, CISA.

Common misconceptions

  1. “We’ll hear about it when quantum breaks encryption, and migrate then.” The party most likely to get there first gains the most from silence, so a public announcement is the least likely outcome. By the time a break is public, the window to protect already-harvested data has closed.
  2. “Public quantum benchmarks tell us how close the threat is.” Public benchmarks are a floor on capability, not a ceiling. They bound what open labs can show and say nothing measurable about what a classified program with a larger budget may have reached.
  3. “Believing capability could be hidden is just paranoia.” It’s the historical base case for cryptanalytic secrets, which states have always guarded obsessively because their entire value depends on the target not knowing. Assuming secrecy is the sober position, not the conspiratorial one.
  4. “If no one can break it yet, our harvested data is fine.” The harm from harvesting is locked in at collection time, not at decryption time. Data copied today in a quantum-vulnerable algorithm is exposed the day a capability exists, and that day won’t come with a warning.
  5. “We should wait for more certainty before spending on migration.” Certainty is exactly what the threat is structured to deny you. Mosca’s math is designed to make the decision without it, which is why the rational trigger is the timing overlap, not a confirmation that may never arrive.

Questions people ask

Will there be a public announcement when a quantum computer breaks encryption? Almost certainly not. The first party to reach the capability, most likely a nation-state program, gains the most by keeping it secret and using it quietly, because disclosure would trigger a global migration and destroy the advantage. Planning that waits for the announcement waits for the one disclosure the threat suppresses.

How do we know intelligence agencies don’t already have this? We can’t know either way from the outside, and that’s the point. Public quantum progress bounds what open labs can demonstrate, not what a classified program may have achieved, and cryptanalytic capability is historically among the most tightly held state secrets, so a gap is the expected case.

If there’s no warning, how do we decide when to migrate? By Mosca’s theorem, which compares your data’s confidentiality lifetime plus your migration time against the threat horizon. It’s built to make the decision without knowing the exact arrival date, so it works precisely when no warning is coming.

Doesn’t harvest-now-decrypt-later mean the damage is already happening? For long-lived data, yes, potentially. The harm from harvesting is set at the moment data is copied, not when it’s decrypted, so sensitive data crossing the network today in a vulnerable algorithm may already be in an adversary’s archive awaiting a future, unannounced capability.

Is the classified capability gap real or a scare tactic? It’s a real, unmeasurable uncertainty. There’s no way from outside to know how far a well-funded secret program has advanced past the public frontier, so responsible planning treats the public timeline as a floor and doesn’t assume the classified frontier sits at the same place.

Should we just assume quantum computers already exist and panic? No. The response isn’t panic, it’s disciplined timing. You measure your own confidentiality lifetimes and migration time, compare them to the threat horizon, and start migrating the long-lived data whose window is closing, which is a calm, evidence-based decision rather than a reaction to a warning that may never come.

How does this change how I read quantum-computing news? Treat public milestones as a lower bound on what’s possible and never as an all-clear. Reading the progress carefully helps calibrate the public timeline, and the no-warning problem is why even a good read of the public timeline can’t be your only input for a migration decision.


Everything here is the map, given freely. When your team needs its long-lived data ranked by confidentiality lifetime, its migration time measured honestly, and a plan built on Mosca’s timing rather than a warning that may never come, that’s the work I do. Request an alignment briefing.

Last verified 2026-07-14 · Maintained by Addie LaMarr, LaMarr Labs.