The post-quantum cryptography transition isn't a future problem — it's a present one. Adversaries are already collecting encrypted data today, storing it until quantum computers can break current encryption algorithms. If your organization handles data that needs to remain confidential for more than 5-10 years — financial records, health data, intellectual property, national security information — you are already vulnerable to this threat.
The HNDL Threat
Harvest Now, Decrypt Later (HNDL) attacks represent a fundamental shift in how we think about cryptographic security. Traditional threat models assume that encrypted data in transit is safe as long as the encryption isn't broken at the time of transmission. HNDL breaks this assumption entirely.
Nation-state actors and sophisticated threat groups are intercepting and storing encrypted communications at scale. The storage cost is negligible compared to the potential intelligence value. When cryptographically relevant quantum computers arrive — and the consensus among researchers is that this is a matter of when, not if — all of that stored data becomes readable. RSA-2048, ECC P-256, and Diffie-Hellman key exchanges that protect the vast majority of internet traffic today will all be vulnerable.
The Timeline Is Shorter Than You Think
NIST finalized its first set of post-quantum cryptographic standards (ML-KEM, ML-DSA, SLH-DSA) in August 2024, with HBS standards following shortly after. The US government has mandated that agencies begin transitioning to PQC algorithms, with aggressive timelines for completion. The NSA's CNSA 2.0 suite requires PQC adoption for national security systems by 2030.
But migrating cryptographic infrastructure takes years, not months. Every TLS certificate, VPN tunnel, code signing key, database encryption configuration, and API authentication mechanism needs to be inventoried, assessed, and migrated. Organizations that haven't started planning are already behind.
What a Migration Plan Looks Like
Step 1: Cryptographic Discovery
You can't migrate what you don't know about. The first step is building a comprehensive inventory of every cryptographic algorithm, key, certificate, and protocol in your infrastructure. This includes not just your own code but third-party libraries, SaaS integrations, vendor products, and embedded systems. Most organizations discover 3-5x more cryptographic dependencies than they expected.
Step 2: Risk Assessment
Not all cryptographic usage carries the same quantum risk. A TLS session protecting a public web page has different risk characteristics than a VPN tunnel carrying classified data. Prioritize migration based on the sensitivity of the data being protected and the feasibility of HNDL attacks on that particular data flow.
Step 3: Architecture Planning
The goal isn't just to replace RSA with ML-KEM — it's to build crypto-agile infrastructure that can adopt new algorithms without another multi-year migration. This means abstracting cryptographic operations behind interfaces, implementing algorithm negotiation in protocols, and designing systems that can support hybrid (classical + PQC) modes during the transition.
Step 4: Phased Migration
Start with the highest-risk, most feasible migrations. TLS 1.3 with hybrid PQC key exchange is available today in most major implementations. Certificate infrastructure can begin issuing hybrid certificates. Code signing can adopt SLH-DSA. Each phase reduces your quantum risk surface while building organizational experience with PQC technologies.
The Cost of Waiting
Every day you delay, more of your encrypted data is potentially being harvested. The migration itself will only get more expensive as the deadline approaches and qualified practitioners become scarce. Organizations that start now can migrate methodically and cost-effectively. Organizations that wait will face emergency timelines and premium pricing.