Somewhere in a windowless data centre, in a country that may or may not be your own, a server is quietly storing a copy of every encrypted email you have ever sent, every banking transaction you have ever made, every encrypted message you have ever exchanged with a doctor or a lawyer or a lover — and is waiting, patiently, for the technology to arrive that will eventually let someone read all of it. The technology is quantum computing. The waiting period is, by most current estimates, somewhere between five and twenty years. The strategy is called “harvest now, decrypt later,” and it is now the explicit, publicly acknowledged practice of the signals intelligence agencies of every major industrial country, several non-state actors, and an unknown number of organised criminal groups. The encryption that currently secures essentially every digital communication on the planet — diplomatic cables, financial records, medical files, military communications, corporate intellectual property — was designed under the assumption that breaking it would take longer than the lifetime of the universe. It will, in fact, take however long it takes the quantum computing industry to build a machine with enough qubits. That timeline is no longer measured in cosmic units.

According to a detailed cryptographic analysis of the harvest-now-decrypt-later threat published in 2026, the US National Security Agency issued an unambiguous public assessment in August 2021: “Adversaries may be collecting encrypted data now, waiting for the day when quantum computers can decrypt it.” The UK’s National Cyber Security Centre made a similar statement in its 2023 Annual Review, noting that state actors are conducting data theft campaigns “for exploitation in years to come.” The Five Eyes intelligence-sharing alliance — comprising the US, UK, Canada, Australia, and New Zealand — has issued coordinated joint advisories on the same threat. The Cyber Threat Alliance released a report in February 2026 titled “Approaching Quantum Dawn,” documenting that the harvesting is now occurring at industrial scale and that the storage costs are entirely tractable for state-level actors operating on 10-to-20-year time horizons.

What is actually being attacked

The cryptographic vulnerability that quantum computers will expose is not, technically, all encryption. It is specifically the encryption that secures the initial exchange of keys between two parties who want to communicate securely — what cryptographers call asymmetric or public-key cryptography. The two dominant standards are RSA (named after Rivest, Shamir, and Adleman, the three MIT cryptographers who developed it in 1977) and ECC (Elliptic Curve Cryptography). Both depend, for their security, on mathematical problems that are easy to set up but extraordinarily hard to reverse — specifically, factoring very large numbers into their prime components (for RSA) and solving discrete logarithm problems on elliptic curves (for ECC). Classical computers would require approximately the lifetime of the universe, or longer, to solve these problems at the key sizes currently in commercial use.

As reported in a 2025 Federal Reserve Board paper examining post-quantum cryptography risks, Shor’s algorithm — a quantum algorithm developed by the mathematician Peter Shor in 1994 — would, on a sufficiently powerful quantum computer, solve both problems in hours rather than billions of years. The bulk encryption that actually protects the contents of messages, once the keys are exchanged, uses symmetric encryption (typically AES-256) that is substantially more quantum-resistant. Symmetric encryption is weakened by quantum computers but not broken in the same catastrophic way. The asymmetric key-exchange step is the choke point. Once a quantum computer can break the RSA or ECC key exchange that secured a TLS session in 2024, the entire contents of that session — captured and stored by an adversary at the time — can be decrypted retroactively.

What gets stored, and why

The practical implication is that any encrypted communication transmitted today, intercepted today, and stored today becomes readable when the threshold quantum computer exists. The damage from this is structural rather than fixable. As documented in the broader literature on harvest-now-decrypt-later attacks, you cannot patch a data breach that occurred five years ago. You cannot recall a diplomatic cable that an adversary intercepted in 2024 and stored in a data warehouse. You cannot retroactively encrypt the medical records, financial transactions, intellectual property, military communications, or industrial control system data that has already been captured. The damage is done at the moment of interception. The decryption is just the moment when the damage becomes legible.

This is why the harvesting is, by all available evidence, already extensive. State-level signals intelligence agencies have been bulk-collecting internet traffic for over a decade. The marginal cost of storing additional petabytes of encrypted data is small at state scale. The patience required — waiting 10 or 15 years for the decryption capability to mature — is structural rather than burdensome for actors operating on geopolitical time horizons. The Citi Institute’s January 2026 quantum threat report estimated that the cumulative cost of the eventual decryption events could reach into the trillions of dollars across the global economy, depending on what data turns out to have been harvested and how it is used.

The countermove

The defensive response is called post-quantum cryptography — the development and deployment of new encryption methods that are designed to be resistant to quantum attack. The US National Institute of Standards and Technology has been running a multi-year competition to identify the most promising algorithms, and finalised the first set of standards in 2024. The leading new key-exchange standard, CRYSTALS-Kyber, is based on mathematical problems involving lattices in high-dimensional spaces — problems that, by current understanding, are hard for both classical and quantum computers. Several major technology companies have already begun deploying post-quantum cryptography. Apple deployed it for iMessage in February 2024. Signal added it. Google has rolled it out across Chrome.

As covered in a March 2026 EnQuanta analysis of the NSA’s commercial migration deadlines, the US federal government has set transition deadlines that require all national-security systems to migrate to post-quantum cryptography by 2027, with the full commercial transition expected by 2033. The European Union has set similar timelines. The UK, Australia, Canada, Japan, and most other major industrial democracies are in the process of doing the same. The scale of the migration is substantial — essentially every digital system that uses RSA or ECC for key exchange will need to be updated — but the work is underway. The challenge is that the harvest-now-decrypt-later attack is not symmetric with the defence: even if every system in the world migrates to post-quantum cryptography tomorrow, the data that has already been collected in the past decade, encrypted with the now-vulnerable algorithms, will still become readable when the threshold quantum computer arrives. The migration protects future communications. It does not protect past ones.

The threshold itself remains uncertain. The most optimistic forecasts among cryptographers and quantum-computing researchers place the cryptographically relevant quantum computer somewhere in the 2030s. The most pessimistic place it in the 2040s. A May 2025 paper by Craig Gidney of Google Quantum AI substantially pulled the timeline forward by demonstrating that the qubit requirement for breaking RSA-2048 had dropped from his own 2019 estimate of approximately 20 million qubits to fewer than 1 million — a 95 percent reduction in hardware demand, driven by improvements in error correction and approximate modular arithmetic rather than by any new physics. The intelligence agencies that are already harvesting the encrypted traffic are not waiting to find out which forecast turns out to be correct. They are storing the data now and trusting that the decryption capability will arrive within the operational lifetime of whatever it is the data turns out to be relevant to. The cost of being wrong about the timing — by harvesting more data than they end up being able to decrypt — is small. The cost of being right and having no harvested data to decrypt is much larger. The arithmetic, from a signals-intelligence perspective, is straightforward. The encryption that protects the species’ digital life is on a deadline. The countdown started years ago.