The Patience of the “Data Protection” Spy
- Samuel Sabogal
- 3 days ago
- 4 min read
In 1943, a mathematics professor recruited by the U.S. Army began cataloging encrypted messages that no one knew how to read. What happened next is the best lesson in security that almost no one studies.
The cables were Soviet, intercepted and stored with no immediate hope of decrypting them. Moscow protected them with a one-time pad—the only encryption system that mathematics proves to be perfect and unbreakable, with one sacred condition: each key is used exactly once and is never repeated. Once that rule is followed, the message becomes pure noise forever. The Soviet Union believed it had followed that rule.
The single-digit error
Under the pressure of war, Soviet code factories did the unthinkable: they reprinted and reused some pages from those notebooks. An administrative shortcut, invisible to whoever sent the message. That repetition was the crack.
Years later, American cryptanalysts—including Meredith Gardner—began to follow the trail. The project was called Venona. What emerged from those reopened envelopes exposed the network that stole the secrets of the atomic bomb: Klaus Fuchs, Harry Gold, the Rosenbergs—executed in 1953—and the Cambridge Five, including Kim Philby. Venona continued to decrypt cables until 1980, and the operation was not made public until 1995.
It’s worth pausing to consider the dates. A message written in 1944 was read by the enemy decades later. By then, it no longer mattered how careful the spy had been or how “unbreakable” his code was. The damage wasn’t done on the day the message was sent; it was done on the day the adversary, without haste, decided to open the envelope.
A secret lasts less than its lock
This gives rise to a fundamental concept in data protection: information security does not depend solely on the encryption an organization uses today, but on the weakest algorithm it will have throughout the entire lifespan of its data.
And some data has a very long lifespan. A life insurance policy must remain confidential even when the policyholder has grandchildren. A medical record never expires. When a secret outlives the lock that holds it, the question is no longer whether someone will be able to open it, but rather who will be waiting when the lock finally gives way.
The same data protection problem, now expressed in physics
Let’s swap Soviet notebooks for RSA and elliptic curve cryptography (ECC)—the cryptography that currently protects your connection to the bank, your emails, your backups, and nearly all encrypted traffic on the planet. Today, they’re considered secure because breaking them would require a conventional computer to run for longer than the age of the universe.
In 1994, mathematician Peter Shor proved that this guarantee has an expiration date. A sufficiently large quantum computer wouldn’t take millennia to break RSA and ECC—it would take hours. It doesn’t weaken them; it obliterates them.

That machine does not yet exist on the necessary scale, and therein lies the exact echo of Venona. An adversary does not need a quantum computer today to benefit from it. It is enough to intercept and store the encrypted traffic it cannot read now, and keep it just as one would file an undeciphered cable, waiting for the machine that will one day open all the envelopes at once. The encrypted traffic of 2026 is the Soviet cable of 1944: it may already have been copied, it is already stored, and all that remains is for someone to make the decision.
The clock is no longer a nebula
Cryptographer Michele Mosca boiled it down to an uncomfortable inequality: you’re already at risk if the number of years your data must remain secret, added to the number of years it will take to migrate your cryptography, exceeds the number of years remaining until a quantum computer exists.
Until recently, that last number was a comfortable fog somewhere far off in the future. Not anymore. Google itself has set 2029 as the target for its first large-scale quantum computer. That’s two and a half years. The time it takes for a loan to be disbursed, an insurance policy to be issued, or an IT project to move from proposal to the first phase. And as you read this page, the traffic your organization encrypted yesterday may already have been copied and archived, waiting for that date with the same patience with which Arlington Hall waited forty years. The countdown doesn’t start the day the machine is turned on. It started the day your data left the network.
This time, the new lock arrived first
It’s the only difference from 1944, but it changes everything: defense got the jump on offense.
In August 2024, after nearly a decade of global competition, the U.S. NIST standardized the first generation of quantum-safe algorithms, designed to withstand both classical and quantum computers: ML-KEM for key exchange, and ML-DSA and SLH-DSA for signatures. The lock that neither Shor nor a quantum machine can open has already been published and tested. And the transition doesn’t require taking a leap of faith: the approach adopted by the industry is a hybrid one—combining today’s classical encryption (X25519) with the new one (ML-KEM)—so that the channel can only be compromised if both fail at the same time.
The future is already stealing your data
At Cyte, we protect your information in every state in which an adversary might compromise it: from the bit traveling at the speed of light through a fiber-optic cable—exposed every microsecond of its journey—to the one resting encrypted on a disk while no one is looking, replicated on static servers spread across multiple countries where you no longer decide who has access to the rack.
Whether in motion, at rest, or in use, our Quantum Safe cryptography—the hybrid ML-KEM + X25519 core that top-tier banks are beginning to adopt—shields today what the enemy intends to read when, in two and a half years, you turn on your machine. And it does so on the infrastructure you already have, without rewriting your applications.





Comments