China’s harvest now, decrypt later play puts every Briton’s data at risk

Britain’s cyber defenders are warning that China has quietly spent years sweeping up personal and classified data across the UK, storing it for the day quantum computers can crack today’s strongest locks. The tactic has a name in security circles, harvest now, decrypt later. The fear is simple. Even if your data is encrypted, it may not stay that way for long.

GCHQ says state backed hackers have run an unrestrained campaign since at least 2021, tied to a sprawling operation known as Salt Typhoon that has hit government networks, telecoms, transport, lodging, energy and even military systems in more than 80 countries. Former GCHQ cryptography chief Daniel Shiu considers it credible that almost all UK citizens have had data compromised. That haul can be weaponised to profile academics, engineers and civil servants, to blackmail employees in sensitive sectors, and to map the systems that keep the lights on.

The quantum clock is ticking

The strategy hinges on timing. Classical encryption is built on problems that take ordinary computers longer than the age of the universe to solve. Quantum machines change that equation. By running many possibilities in parallel, a sufficiently powerful quantum computer could tear through widely used algorithms in minutes or seconds. Security leaders talk about Q Day, the moment quantum attacks move from theory to practice. Some industry voices warn that it could be uncomfortably close.

UK officials say there is mitigation in place for government traffic, yet they are urging businesses to plan now. The National Institute of Standards and Technology has already standardised initial post quantum cryptography algorithms. The UK’s National Cyber Security Centre has published a migration roadmap. The aim is for most companies to be ready to switch plans on by 2028, and to complete the move by the early 2030s. Experts at Oxford and elsewhere warn that the skills gap is real. Britain must accelerate or risk years of exposure.

Salt Typhoon, a playbook for patience

GCHQ attributes Salt Typhoon to Chinese state actors and, in an unusual step, has named three Chinese firms it says participated. The operation blends large scale reconnaissance with targeted intrusion. Late night access attempts. Chains of overseas servers acting as springboards. Zero day exploits that bypass intrusion detection. The goal is persistence. Get in. Stay quiet. Copy everything worth having. If an encrypted trove cannot be read today, copy it anyway, then wait.

That patience is why the threat cuts both ways. It is not only personal banking details or private chats that could be cracked. It is also configuration data for power substations, timing feeds for markets and navigation, and logs that reveal who speaks to whom inside Whitehall. Security chiefs describe China as the UK’s most significant long term strategic challenge. They say the intrusions are daily and sophisticated. They also say they are intervening and will continue to do so.

Why encryption breaks, and how to fix it

Modern public key encryption often relies on the difficulty of factoring enormous numbers into their prime components. A classical computer must test possibilities in series, which becomes infeasible as numbers grow. A quantum computer can evaluate many paths at once, which collapses the time needed to find the answer. The fix is to adopt new maths that remains hard for quantum machines. Lattice based schemes and other post quantum algorithms are designed for that.

Migration is not a software patch. It is a programme. Inventory where cryptography is used. Prioritise crown jewels. Test quantum safe options. Plan cutovers and key management changes. Coordinate with suppliers. Regulators will expect to see that plan. Boards should too.

What this means for people and firms right now

For the public. Use strong, unique passwords. Turn on phishing resistant multi factor authentication. Install security updates promptly. Assume that anything valuable can be a target.

For organisations. Treat harvest now, decrypt later as a current risk, not a future one. Classify data by the damage it would cause if decrypted in five to ten years. Start a post quantum readiness programme. Align to the NCSC roadmap. Budget for cryptography refreshes in every major system upgrade from now on.

The stakes

This is an infrastructure story as much as an intelligence story. A millisecond timing error can ripple through substations. A microsecond jitter can move markets. A broken encryption scheme can turn quiet stockpiles into live breaches overnight. Quantum capability will not arrive everywhere at once, but adversaries only need it to arrive once in the right place. The UK must compress a decade of cryptographic change into a few tight years. The harvest is already in cold storage. The race is to make sure it stays unreadable.

Photo Credit: DepositPhotos.com