Harvest Now, Decrypt Later — The Passive Threat You're Already Losing To

The Cryptographic Debt You Cannot Afford to Ignore

Your organisation is already compromised—not by a breach you will detect next quarter, but by the systematic exfiltration of encrypted data occurring right now, destined for decryption in 2030 or 2035, when quantum capability renders your current key material worthless. This is not a theoretical threat; it is an engineering reality that your cryptographic posture has already enabled, and every month you wait to restructure that posture is another month of harvest-now-decrypt-later acceleration against your most sensitive holdings.

The cryptographic record—all TLS handshakes, VPN tunnels, PKI signatures, encrypted databases, and KMIP-wrapped secrets—is being vacuumed into long-term adversarial storage by nation-state and organised-crime actors whose patience horizon exceeds your detection window by orders of magnitude. When quantum computers capable of breaking RSA-2048 and ECC P-384 emerge—not if, but when, and with considerable warning from industry research trajectories—that record becomes readable. Your current cryptographic estate is not a historical artifact; it is an active liability you are funding with every day of inaction.

The Industry Narrative: Quantum-Safe Migration as Compliance Theatre

The standard response, now visible across NIST SP 800-175B guidance, DORA (Digital Operational Resilience Act) Article 16 crypto-agility requirements, and vendor roadmaps from Cisco, Palo Alto Networks, and Microsoft, is orderly transition to post-quantum cryptography (PQC)—principally NIST-standardised algorithms like ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+). The timeline proposed by NIST is deliberate: full retirement of RSA-2048 by 2033, with crypto-agility maturity required for DORA-regulated entities by 2025. Analogous requirements now appear in NIS2 (transposed into UK NCSC CAF), APRA CPS 234 (Australia), and NYDFS Part 500 (New York State).

The regulatory architecture is sound in intent. NIST SP 800-177 (Quantum Computing Risk and Mitigations for Cryptography-Based Information Security) explicitly acknowledges harvest-now-decrypt-later as a threat type, classifying affected systems by criticality and mandating inventory of cryptographic implementations, key establishment protocols, and signature validation chains. The SEC 4-day rule (now extended to 72 hours under NIS2 notification timelines) presumes detection capability; it does not address the detection of retroactive decryption of historical encrypted data, a category of breach that existing forensic tools cannot meaningfully distinguish from normal access patterns if the attack occurs post-quantum-capability-emergence.

Yet the operational response, across financial services, healthcare, critical infrastructure, and cloud platforms, has been mechanistic. RSA-3072 padding, ECDH curve migration to P-521, TLS 1.3 cipher-suite rotation—these are hygiene measures, not architecture. The 2023 CISA Transitional Cryptographic Recommendations and the subsequent 2024 post-quantum cryptography adoption surge have produced a peculiar outcome: organisations now run dual-algorithm cryptography (classical + PQC hybrid), at considerable performance and key-management cost, whilst leaving the entire historical record unencrypted against future quantum decryption. This is not mitigation; it is deferral purchased with operational complexity.

The Change Healthcare incident (February 2024)—where NobleSecure (a BlackCat/ALPHV variant) exfiltrated 100+ million encrypted records, primarily healthcare transaction logs and claims data encrypted under RSA-2048 AES-CBC—made explicit what was implicit: adversaries now routinely assume patient harvest windows spanning a decade or more, and the regulatory remediation (2023 SEC guidance on third-party breach notification under Gramm-Leach-Bliley Act) addresses disclosure of breach, not remediation of decrypt-ability against future quantum capability. The victim's cryptographic posture during the breach—strong encryption using NIST-approved algorithms—is irrelevant if the adversary possesses the ciphertext in perpetuity and the plaintext becomes recoverable in 2034.

Why Crypto-Agility Is a Tar Pit, Not a Exit

This is where the PULSE reading diverges sharply from the compliance narrative.

The architecture of modern cryptographic agility—exemplified by Microsoft's FIPS 140-3 modules and Cisco's cryptographic hardware platforms—assumes that key rotation, algorithm migration, and certificate renewal constitute adequate response to quantum threat. They do not. Here is why:

The historical-data problem is isomorphic to the legacy-system problem. You cannot retroactively encrypt plaintext you no longer control. The Change Healthcare case involved encrypted data in storage (FHIR HL7v2 records in Azure Storage, encrypted with Microsoft-managed keys under BYOK/CMK model). The encryption was strong. The key material was compartmentalised. Yet because the adversary held the ciphertext and the functional plaintext (a subset of claims data) was recoverable via side-channel inference from subsequent payment records, the breach remained valuable to the adversary before any quantum capability matured. The quantum threat simply extends the temporal window of utility.

Cryptographic agility encoded into detection-and-response architectures is reactive to quantum capability, not resistant against it. The standard model—intrusion detection systems (IDS) correlating TLS fingerprints, DLP appliances monitoring data motion encrypted under known algorithms, SIEM log collection over HTTPS—assumes that cryptographic compromise will be detectable. It will not. Quantum decryption, if it occurs post-mortem (after the ciphertext is stolen but before it is decrypted), is archaeologically invisible. Your SIEM will never record the moment a future adversary decrypts your 2024 encrypted backup; your EDR will not correlate historical exfiltration with future cryptanalytic break. The compliance frameworks (DORA, NIS2) are designed to detect operational compromise; they cannot address temporal compromise—the retroactive break of confidentiality assurance.

Key escrow and migration mechanics create new harvest opportunities. Every cryptographic agility programme—Cisco's Trusted Platform Module (TPM) 2.0 key storage with KMIP orchestration, Palo Alto Networks' HSM-backed key derivation, AWS Key Management Service (KMS) with multi-region replication—introduces transient states where plaintext keys, ephemeral session keys, or key derivation material exists in memory, in transit, or in escrow. The Snowflake tenant cascade (October 2024)—where compromised Okta API credentials enabled browser-session replay and multi-tenant access to Snowflake instances, including encrypted column data and CEK (column encryption key) rotation events—exposed the machinery: even organisations with mature encryption-at-rest postures became vulnerable through key-management workflow compromise. Crypto-agility does not reduce attack surface on key material; it multiplies it by introducing algorithm-negotiation, key-renewal, and cross-algorithm key-wrapping.

The PULSE Approach: Zero-Knowledge Substrate and Temporal Resistance

The architectural divergence starts here: data that is not held by the organisation, and therefore not exfiltrated by the adversary, cannot be retroactively decrypted, regardless of quantum capability.

This is not novel encryption. It is restructuring the data plane so that sensitive plaintext material (personally identifiable information, financial transaction details, cryptographic keys themselves, source code repositories) is never present in a form that an attacker can harvest and store indefinitely.

Zero-knowledge substrate: Information is processed, transformed, and stored in a form that is mathematically bound to the query or operation it serves, but does not permit reconstruction of the plaintext material outside that specific context. This is distinct from classical encryption-at-rest (where the key-holder can decrypt the material at will). Examples: cryptographic commitments (Merkle trees, homomorphic hashing) for data integrity without plaintext recovery; threshold secret-sharing (Shamir schemes) where no single compromise reveals the material; secure multi-party computation (MPC) where plaintext never aggregates in a single trust domain; functional encryption where the decryption capability is bound to a specific function (e.g., "sum all transactions for account X between dates Y-Z" without revealing individual transaction details).

For healthcare data (the Change Healthcare case): rather than storing encrypted FHIR records with decryption capability at the application layer, store only commitment values and transaction hashes. When a claims adjudication system needs to access the record, it retrieves the commitment, verifies it against the audit trail (which is also commitment-bound), and computes the required operation (eligibility check, payment authorisation) via MPC with the patient's device or a dedicated secure enclave—never assembling plaintext in the attacker-reachable data plane.

Data-plane vs. control-plane separation: The control plane—policy enforcement, access decision, authentication—runs on classical security assumptions (detection, key rotation, algorithm upgrade). The data plane—where plaintext or near-plaintext material exists—is architected for zero-knowledge operation. An adversary who compromises the control plane cannot extract data-plane material because it is not there in exploitable form.

Adaptive posture within zero-knowledge envelope: Crypto-agility is moved outside the data plane. If you must use cryptography (for interoperability with legacy systems, for regulatory compliance requiring named algorithms), the key material is never used to decrypt data that is stored or transmitted in adversary-reachable locations. Keys exist transiently, only during data-plane operations, and the operations themselves are stateless—no key derivatives, no key wrapping, no KMIP escrow. The moment the operation completes, the key material is zeroed, and the output is a commitment, a hash, or a zero-knowledge proof—something that cannot be retroactively decrypted by quantum or classical adversary.

Domain-specific primitives: For financial services systems, replace classical PKI signatures (vulnerable to harvest-now-decrypt-later for non-repudiation disputes) with post-quantum signature schemes applied to commitments, not to plaintext transaction details. For critical infrastructure control systems (SCADA, ICS), replace encrypted command channels with zero-knowledge proofs of authorisation—the control system verifies that a command originated from an authorised source without ever holding the plaintext credentials that authorise it. For cloud multi-tenancy (Snowflake, Salesforce, SAP), replace encryption keys held by the platform with cryptographic attestation: the tenant's data exists only as a function of the tenant's computation, never as a stored object.

Real Architectural Examples and Constraints

The PULSE doctrine is not frictionless. It requires organisational restructuring.

Healthcare integration: A clinical decision-support system must access patient history without storing PII plaintext. Conventional architecture: encrypted EHR with BYOK, audited access logs, role-based controls. PULSE approach: patient history is stored as a series of zero-knowledge proofs of medical events (dated, indexed by condition code, cryptographically signed by the treating clinician, but not revealing patient identity or sensitive details like medication dosages or mental health status). The clinical system receives these proofs, verifies them, and generates a treatment recommendation via MPC between the clinician's system and a secure enclave (which is ephemeral and zeroed after the operation). The recommendation is delivered to the clinician; the patient history never exists in plaintext in the hospital's data plane.

Financial transaction processing: A clearing house must ensure non-repudiation of trade settlements without storing plaintext trade details. Conventional: digitally signed trade confirmations using RSA-2048, archived for 7 years in encrypted storage. PULSE approach: trade details are committed (Merkle tree root), the root is signed using a post-quantum signature scheme, and the signature is stored with the commitment hash. The plaintext trade details are retained only by each counterparty in their own zero-knowledge substrate. Dispute resolution occurs via cryptographic proof of commitment, not via archival plaintext retrieval.

Critical infrastructure SCADA: Control signals to substations are currently sent over encrypted VPN tunnels with pre-shared keys. Conventional agility: rotate algorithms, upgrade key exchange to hybrid classical-PQC. PULSE approach: commands are never encrypted; instead, they are issued as proofs of authorisation signed with post-quantum keys and verified by the SCADA device using a post-quantum signature scheme. No key material is held in the field device; the device verifies the proof and executes the command atomically. If the device is compromised, there is no key material to exfiltrate, and the proof of authorisation cannot be forged retroactively (post-quantum signatures cannot be broken to forge historical proofs).

The cost is operational. Multi-party computation adds latency. Zero-knowledge proofs require additional cryptographic compute. Secure enclaves (Intel SGX, AMD SEV) are themselves vulnerable to side-channel attacks (as shown in recent Spectre/Meltdown variants). The PULSE approach does not eliminate risk; it shifts risk from the adversary's favour (they hold the plaintext ciphertext indefinitely) to the system's favour (the plaintext never exists in a form they can usefully harvest).

The Regulatory Reality: Compliance Catch-Up

NIS2 Article 21 (cryptographic management) and DORA Article 16 (crypto-agility) do not mandate zero-knowledge substrate. They mandate inventory, migration timelines, and cryptographic agility. But they do not forbid it, and as the Snowflake case (October 2024) and the post-quantum cryptography adoption rate (now at ~15% of enterprises per 2024 SANS survey data) demonstrate, the regulatory window for architectural innovation is narrowing. By 2027, when DORA requirements fully take effect across regulated financial institutions in the EU, organisations that have merely upgraded to ML-KEM will be compliant but remain vulnerable to harvest-now-decrypt-later. Those that have eliminated plaintext from the data plane will be operationally superior.

Regulators cannot mandate architectural approaches; they mandate outcomes. Zero-knowledge substrate achieves the outcome (cryptographic confidentiality against future quantum threat) more robustly than classical crypto-agility. When auditors begin asking, "Show me the plaintext that an adversary could have exfiltrated in 2024 and decrypted in 2034," organisations with zero-knowledge architectures have a clean answer: "There is no such plaintext." Organisations with classical crypto-agility will be holding the explanation for why they migrated to ML-KEM but left their historical encrypted data intact.

The Structural Failure and the Way Forward

The industry has treated harvest-now-decrypt-later as a cryptographic problem: use better algorithms, rotate keys faster, achieve agility. It is not. It is an architectural problem: your data plane is structured to hold plaintext, and you are encrypting it, and the adversary is harvesting it, and no amount of algorithm rotation changes the fact that they will decrypt it when they have capability.

The PULSE reading is that organisations who want genuine post-breach resistance—not detection of quantum breaks, not compliance with migration timelines, but immunity from retroactive cryptanalytic compromise—must restructure their data plane around zero-knowledge primitives. This is not a technology refresh; it is an engineering discipline. It requires domain-specific design: healthcare has different zero-knowledge needs than payments, which differ from critical infrastructure, which differ from cloud platforms.

For organisations holding or transferring the world's data and currency—financial institutions, healthcare providers, critical infrastructure operators, cloud platforms—the question is not "When will we migrate to post-quantum cryptography?" The question is "By what date will plaintext material no longer exist in our attacker-reachable data plane?"

If you operate infrastructure that cannot afford to answer that question with certainty, request a briefing under NDA.