Harvest Now, Decrypt Later Attacks Pose a Security Concern as Organizations Consider Implications of Quantum Computing

NEW YORK, Sept. 20, 2022 — Just over half of responding professionals at organizations considering quantum computing benefits believe that their organizations are at risk for “harvest now, decrypt later” (HNDL) cybersecurity attacks (50.2%), according to a new Deloitte poll.

In HNDL attacks, threat actors “harvest” data from unsuspecting organizations, anticipating that data can be decrypted later — when quantum computing reaches the maturity to render some existing cryptographic algorithms obsolete.

“It’s encouraging to see that so many of the organizations with quantum computing awareness are similarly aware of the security implications that the emerging technology presents. But, it’s important to note that ‘harvest now, decrypt later’ attacks are something all organizations — whether or not they’re considering leveraging quantum computing — stand to face in a post-quantum world,” said Colin Soutar, Ph.D., U.S. quantum cyber readiness leader and Deloitte Risk & Financial Advisory managing director, Deloitte & Touche LLP. “As quantum awareness grows within boardrooms, C-suites and security teams, we’re hopeful that organizations’ efforts to prepare for post-quantum cyber risk management will grow as well.”

Looking at quantum computing cybersecurity risk preparedness
Timing for organizations’ assessments of potential, post-quantum encryption vulnerabilities varies among polled professionals. Almost half of respondents (45%) say their organizations expect to complete that work within the next 12 months, if not sooner. An additional 16.2% expect to conduct such quantum risk assessments within the next two to five years.

Respondents said their organization’s quantum computing security risk management efforts will most likely advance following regulatory pressure to adopt legislation or policies (27.7%) or leadership demand — from the board of directors, CISO/CSO, etc.— to enable the cryptographic agility which can address the algorithms made obsolete by quantum computing (20.7%).

Other respondents’ organizations seem to be taking a “wait and see” approach. Some say it would take a cyber incident — like exfiltration of sensitive data — involving their organization (11.7%) to drive quantum security risk management efforts. Others say client or shareholder demand would drive the same (6.8%).

“Although we are in the early days, quantum computing technology holds tremendous promise and has potential to transform organizations,” said Scott Buchholz, global quantum computing lead and managing director, Deloitte Consulting LLP. “Moreover, work to manage the future cryptographic threat can begin today by better securing data. Even as stakeholders look for future business applications, they must prioritize quantum security to protect data now — even before quantum computers come fully online.”

“Collaboration between the C-suite, boards and security leaders is needed to drive quantum cyber preparedness. Good cyber hygiene — such as developing a cryptographic inventory, honing data governance, and managing certificates — are all good steps for today and for when we are more completely in the quantum era,” concluded Soutar.

About the online poll
More than 400 professionals from organizations that have already considered quantum computing’s benefits were polled online about related cybersecurity risk management during a webcast held on July 28, 2022, titled “Insights and action: Preparing for quantum era opportunities and threats.” Answer rates differed by question

About Deloitte
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including nearly 90% of the Fortune 500^® and more than 7,000 private companies. Our people come together for the greater good and work across the industry sectors that drive and shape today’s marketplace — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthier society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Building on more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte’s more than 345,000 people worldwide connect for impact at www.deloitte.com.