Harvest Now, Decrypt Later: The CISO's 2026 Guide to Beating the Quantum Deadline
Why HNDL attacks make PQC migration urgent in 2026: Mosca's Theorem, NIST FIPS 203/204/205, NCSC milestones, and a 90-day starter plan.
The attack that already happened
The most dangerous quantum attack is not scheduled for 2030 or 2035. It is happening today, and it does not require a quantum computer at all.
"Harvest now, decrypt later" (HNDL) is the practice of intercepting and storing encrypted traffic now, with the intention of decrypting it once a cryptographically relevant quantum computer (CRQC) exists. The adversary doesn't need to break your encryption this year. They need only to keep a copy of your ciphertext until the year they can. If your data must stay confidential for ten years — medical records, national identity data, intellectual property, diplomatic cables, M&A records — and a CRQC arrives within that window, then data stolen in 2026 is effectively already compromised.
This is why the US Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and NIST have jointly urged organizations to begin quantum-readiness planning now, not when quantum hardware matures. It is also why the UK's National Cyber Security Centre has published concrete migration milestones: identify and plan by 2028, complete high-priority migration by 2031, and finish full migration by 2035 (NCSC PQC migration timelines).
The deadline, in other words, is not the day the quantum computer arrives. The deadline is the day your data's shelf life crosses the arrival horizon. For most organizations, that day has passed.
Mosca's Theorem: the only risk formula you need to memorize
Michele Mosca's inequality distills quantum risk into three variables: X, how long your data must remain secure (shelf life); Y, how long your migration to quantum-safe cryptography will take; and Z, how long until a cryptographically relevant quantum computer exists.
If X + Y > Z, you are already late.
Consider a bank whose customer transaction data must remain confidential for 15 years (X = 15). Industry experience with major cryptographic transitions (SHA-1, TLS 1.2, 3DES) suggests large-enterprise migrations take 5–10 years (Y = 7, optimistically). If a CRQC arrives at any point in the next 22 years — a horizon well within many published expert estimates — the inequality fails today. That is IQCDL's position: the rational planning assumption for any regulated enterprise in 2026 is that the migration clock has already run out of slack.
What NIST gave you in 2024 — and what it didn't
In August 2024, NIST finalized its first three post-quantum cryptography standards: FIPS 203 (ML-KEM) for key encapsulation, derived from CRYSTALS-Kyber; FIPS 204 (ML-DSA) for digital signatures, derived from CRYSTALS-Dilithium; and FIPS 205 (SLH-DSA), hash-based signatures derived from SPHINCS+.
What the standards give you: vetted, standardized algorithms your vendors can implement, and a defensible answer to "migrate to what?"
What they do not give you: an inventory of where cryptography lives in your estate, a prioritization of which systems to migrate first, staff who understand the difference between ML-KEM and RSA key transport, or a governance structure that survives a multi-year program. Standards are the destination. The rest is the journey — and the journey is organizational, not mathematical.
The three-phase migration: Assess, Plan, Implement
IQCDL's certification curriculum organizes the migration into three phases, aligned with the EU PQC Roadmap (2026–2035) and the guidance from CISA and the NCSC.
Phase 1 — Assess (now → 2026)
You cannot migrate what you cannot see. The single biggest blocker to PQC migration reported across the industry is the absence of a cryptographic inventory. Build a Cryptographic Bill of Materials (CBOM): every algorithm, key length, protocol, certificate, and library, across applications, infrastructure, cloud, endpoints, and — critically — third-party systems. In parallel, classify data by shelf life. A marketing cache with a 3-month lifespan and a genomic database with a 50-year lifespan do not share a migration priority.
This is also the phase to certify your leadership. Quantum risk decisions in the Assess phase are made by CISOs, IT directors, and compliance officers — people who need quantum literacy, not quantum physics. That is precisely the population the IQCDL Foundation Level (3 days, no coding) serves.
Phase 2 — Plan & protect the crown jewels (2026 → 2030)
Prioritize high-risk, long-shelf-life data first — the HNDL-exposed assets. Pilot hybrid classical + PQC deployments (for example, hybrid TLS key exchange) on critical infrastructure, so a weakness in either component does not expose traffic. Above all, build crypto-agility: decouple cryptographic logic from application logic so that algorithms can be swapped without rewriting core systems. The next algorithm transition after this one should cost you months, not a decade.
Phase 3 — Implement at scale (2030 → 2035)
Broad rollout across all systems, continuous monitoring, deprecation of legacy algorithms, and crypto-agility as an architectural default. Organizations that used Phases 1–2 to build inventory discipline and trained practitioners will find this phase an engineering program. Organizations that didn't will find it a crisis.
Why the skills gap is the real bottleneck
Hardware vendors will ship PQC-capable products. Cloud providers already offer hybrid key exchange. Your real constraint in 2026 is people: architects who can design hybrid systems, developers who can implement ML-KEM and ML-DSA correctly, auditors who can read a CBOM, and executives who can size the risk without hype.
This is the gap IQCDL exists to close. The Foundation Level (3 days) gives leaders the threat model — Shor, Grover, Mosca's Theorem, migration strategy — with no code required. The Practitioner Level (5 days) takes engineers hands-on: Qiskit, implementing Kyber/Dilithium/SPHINCS+, hybrid TLS, CBOM construction, and migration roadmapping. Both are aligned to NIST FIPS 203/204/205, ISO/IEC 4879, IEEE P7131/P7132, and the EU PQC Roadmap. And for teams starting from zero, the free Quantum Computing for Everyone course builds intuition in about four hours, no math required.
A 90-day starter plan
- Days 1–15: Run a readiness assessment (IQCDL's free 2-minute assessment at iqcdl.org/assessment is a start). Name an executive owner for quantum risk.
- Days 16–45: Begin the cryptographic inventory on your top-10 critical systems. Classify data shelf life. Apply Mosca's inequality per system.
- Days 46–75: Certify your security leadership at Foundation Level. Issue PQC-readiness questionnaires to your top vendors.
- Days 76–90: Draft the phased migration roadmap with owners and deadlines. Pilot one hybrid-TLS endpoint. Report X + Y > Z status to the board.
The post-quantum era does not begin when the quantum computer boots up. It began when the first adversary decided your ciphertext was worth storing. Start counting from there.