‘Harvest now, decrypt later’: Why hackers are waiting for quantum computing

Hackers are waiting for the moment quantum computing breaks cryptography and enables the mass decryption of years of stolen information. In preparation, they are harvesting even more encrypted data than usual. Here is what businesses can do in response.

Why are hackers harvesting encrypted data?

Most modern organizations encrypt multiple critical aspects of their operations. In fact, about eight in 10 businesses extensively or partially use enterprise-level encryption for databases, archives, internal networks and internet communications. After all, it is a cybersecurity best practice.

Alarmingly, cybersecurity experts are growing increasingly concerned that cybercriminals are stealing encrypted data and waiting for the right time to strike. Their worries are not unfounded — more than 70% of ransomware attacks now exfiltrate information before encryption. 

The “harvest now, decrypt later” phenomenon in cyberattacks — where attackers steal encrypted information in the hopes they will eventually be able to decrypt it — is becoming common. As quantum computing technology develops, it will only grow more prevalent.

How ‘harvest now, decrypt later’ works

Quantum computers make the “harvest now, decrypt later” phenomenon possible. In the past, encryption was enough to deter cybercriminals — or at least make their efforts pointless. Unfortunately, that is no longer the case.

Whereas classical computers operate using binary digits — bits — that can either be a one or a zero, their quantum counterparts use quantum bits called qubits. Qubits can exist in two states simultaneously, thanks to superposition. 

Since qubits may be a one and a zero, quantum computers’ processing speeds far outpace the competition. Cybersecurity experts are worried they will make modern ciphers — meaning encryption algorithms — useless, which has inspired exfiltration-driven cyberattacks. 

Encryption turns data, also known as plaintext, into a string of random, undecipherable code called ciphertext. Ciphers do this using complex mathematical formulas that are technically impossible to decode without a decryption key. However, quantum computing changes things.

While a classical computer would take 300 trillion years or more to decrypt a 2,048-bit Rivest-Shamir-Adleman encryption, a quantum one could crack it in seconds, thanks to qubits. The catch is that this technology isn’t widely available — only places like research institutions and government labs can afford it.

That does not deter cybercriminals, as quantum computing technology could become accessible within a decade. In preparation, they use cyberattacks to steal encrypted data and plan to decrypt it later.

What types of data are hackers harvesting?

Hackers usually steal personally identifiable information like names, addresses, job titles and social security numbers because they enable identity theft. Account data — like company credit card numbers or bank account credentials — are also highly sought-after.

With quantum computing, hackers can access anything encrypted — data storage systems are no longer their primary focus. They can eavesdrop on the connection between a web browser and a server, read cross-program communication or intercept information in transit. 

Human resources, IT and accounting departments are still high risks for the average business. However, they must also worry about their infrastructure, vendors and communication protocols. After all, both client and server-side encryption will soon be fair game.

The consequences of qubits cracking encryption

Companies may not even realize they have been affected by a data breach until the attackers use quantum computing to decrypt the stolen information. It may be business as usual until a sudden surge in account takeovers, identity theft, cyberattacks and phishing attempts. 

Legal issues and regulatory fines would likely follow. Considering the average data breach rose from $4.35 million in 2022 to $4.45 million in 2023 — a 2.3% year-over-year increase — the financial losses could be devastating. 

In the wake of quantum computing, businesses can no longer rely on ciphers to communicate securely, share files, store data or use the cloud. Their databases, archives, digital signatures, internet communications, hard drives, e-mail and internal networks will soon be vulnerable. Unless they find an alternative, they may have to revert to paper-based systems.

Why prepare if quantum isn’t here yet?

While the potential for broken cryptography is alarming, decision-makers should not panic. The average hacker will not be able to get a quantum computer for years — maybe even decades — because they are incredibly costly, resource-intensive, sensitive and prone to errors if they are not kept in ideal conditions.

To clarify, these sensitive machines must stay just above absolute zero (459 degrees Fahrenheit to be exact) because thermal noise can interfere with their operations. 

However, quantum computing technology is advancing daily. Researchers are trying to make these computers smaller, easier to use and more reliable. Soon, they may become accessible enough that the average person can own one. 

Already, a startup based in China recently unveiled the world’s first consumer-grade portable quantum computers. The Triangulum — the most expensive model — offers the power of three qubits for roughly $58,000. The two cheaper two-qubit versions retail for less than $10,000.

While these machines pale in comparison to the powerhouse computers found in research institutions and government-funded labs, they prove that the world is not far away from mass-market quantum computing technology. In other words, decision-makers must act now instead of waiting until it is too late. 

Besides, the average hacker is not the one companies should worry about — well-funded threat groups pose a much larger threat. A world where a nation-state or business competitor can pay for quantum computing as a service to steal intellectual property, financial data or trade secrets may soon be a reality. 

What can enterprises do to protect themselves?

There are a few steps business leaders should take in preparation for quantum computing cracking cryptography. 

1. Adopt post-quantum ciphers

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) soon plan to release post-quantum cryptographic standards. The agencies are leveraging the latest techniques to make ciphers quantum computers cannot crack. Firms would be wise to adopt them upon release. 

2. Enhance breach detection

Indicators of compromise — signs that show a network or system intrusion occurred — can help security professionals react to data breaches swiftly, potentially making data useless to the attackers. For example, they can immediately change all employees’ passwords if they notice hackers have stolen account credentials.

3. Use a quantum-safe VPN

A quantum-safe virtual private network (VPN) protects data in transit, preventing exfiltration and eavesdropping. One expert claims consumers should expect them soon, stating they are in the testing phase as of 2024. Companies would be wise to adopt solutions like these.

4. Move sensitive data

Decision-makers should ask themselves whether the information bad actors steal will still be relevant when it is decrypted. They should also consider the worst-case scenario to understand the risk level. From there, they can decide whether or not to move sensitive data. 

One option is to transfer the data to a heavily guarded or constantly monitored paper-based filing system, preventing cyberattacks entirely. The more feasible solution is to store it on a local network not connected to the public internet, segmenting it with security and authorization controls.

Decision-makers should begin preparing now

Although quantum-based cryptography cracking is still years — maybe decades — away, it will have disastrous effects once it arrives. Business leaders should develop a post-quantum plan now to ensure they are not caught by surprise. 

Zac Amos is features editor at ReHack.