Full Report
The next cybersecurity arms race is already here, but it's not too late to get a head start
Analysis Summary
# Main Topic
The ongoing "cybersecurity arms race" driven by the impending maturity of quantum computing, which threatens to break current cryptographic standards and enables adversaries to decrypt previously collected sensitive data (Harvest Now, Decrypt Later tactic).
## Key Points
- Quantum computing renders current RSA and ECC cipher suites vulnerable, making preparation for Post-Quantum Cryptography (PQC) an immediate priority.
- Adversaries are actively engaging in "harvest now, decrypt later" attacks, intercepting and storing encrypted traffic for future decryption by quantum machines.
- Data at rest, especially that subject to long retention requirements (e.g., HIPAA lasting seven years, safety records lasting 50 years), is at extreme risk.
- Only 5% of organizations report having a defined quantum computing strategy despite 62% of professionals worrying about quantum breaking current encryption.
- Industry adoption of PQC standards is underway, with major browsers (Chrome, Edge, Firefox) supporting PQC-capable protocols, and about 34% of internet traffic being PQC-compliant at both endpoints.
## Threat Actors
- **General Adversaries/Nation-States:** Motivated to stockpile encrypted data now for future exploitation using quantum decryption capabilities.
- *Note: No specific named threat groups (APT names) were provided in the relevant context.*
## TTPs
- **Harvest Now, Decrypt Later:** Intercepting and storing protected data in anticipation of future quantum decryption capabilities.
- **Cryptographic Degradation:** Eventually exploiting weaknesses in current vulnerable cipher suites (RSA, ECC) once quantum systems are capable.
## Affected Systems
- **Data at Rest:** Data requiring long-term protection (e.g., healthcare records, governmental safety records).
- **Web Browsing/Connections:** TLS/SSL handshakes relying on vulnerable public-key cryptography.
- **Enterprise Infrastructure:** Any system relying on current standard cipher suites that will be deprecated.
## Mitigations
- Inventorying critical data and understanding its required retention period.
- Proactively building quantum resistance into architecture upgrades by adopting PQC standards as they are finalized.
- Modernizing encryption to utilize new classes of PQC algorithms (lattice-based, code-based, multivariate) resistant to quantum attacks.
- Integrating PQC support into upcoming infrastructure refreshes rather than retrofitting later.
- Staying agile with cryptographic strategies to adapt to emerging standards.
- Organizations (like Symantec/Carbon Black) are modernizing endpoint and workload protections to support PQC-compliant ciphers.
## Conclusion
The race against quantum decryption is active, characterized by the "harvest now, decrypt later" tactic. Organizations must urgently move beyond speculation by inventorying high-risk data and immediately beginning the transition to NIST-standardized Post-Quantum Cryptography, with interim deadlines approaching rapidly (vulnerable suites retired by 2030). Disciplined, future-forward planning is necessary to ensure resilience against imminent cryptographic risk.