Denis Mandich, CTO of Qrypt, a quantum cybersecurity company, and founding member of the Quantum Economic Development Consortium and CQT.
Anthropic is cautiously rolling out Mythos after the AI tool found thousands of previously unknown software vulnerabilities, triggering serious concern among security leaders about AI-enabled zero-day attacks.
While the concern is valid, it is also important to remember that hackers are also pursuing a harvest now, decrypt later (HNDL) strategy, where they steal valuable encrypted data in anticipation that quantum technology will be able to crack the encryption in the near future.
These are negative-day attacks: The adversary is not exploiting something defenders have missed, but betting the future will make today’s inaccessible secrets visible.
The cybersecurity industry cannot prepare only for the unknown bug that could appear tomorrow. It also has to prepare for the sensitive data, identity systems, certificates and communications that are considered safe today but may become vulnerable years from now.
While zero-day attacks require urgent attention, negative-day attacks require a structural cybersecurity shift.
From Zero-Day Shock To Negative-Day Risk
Zero-day attacks rose to fame in 2010 when the Stuxnet attack used multiple previously unknown exploits. This pre-AI engineering effort chained together five vulnerabilities to gain access to a uranium enrichment plant in Iran.
That history matters for boards, CISOs, software vendors and infrastructure providers because it shows what happens when hidden weaknesses are converted into real-world power.
But it does not mean every organization should view zero-day discovery as the center of the next security era. The larger question is what happens when attackers no longer need to find a perfect bug today but only need to wait for technology to advance.
With zero-day exploits, the effort is often not worth the reward. Although there are bug bounties to find them, that market is often tiny relative to the effort required to find them outside academia and general software development. The vast majority of these bugs are inconsequential, and there is no guarantee years of research will ever find one and pay off.
HNDL Is The Nearer-Term Bet
The cost of storing large amounts of data is approaching zero, while the potential value it can unlock is high. Those economics alone can make HNDL a rational bet for any well-resourced attacker.
This is where focusing on HNDL can pay off. Some cryptographic security gets broken by the brute force of larger computers. Some get broken by discovering flaws, implementation errors and so on.
With HNDL, the attacker does not need immediate success. They only need patience, storage and confidence that today’s cryptography or implementation assumptions will eventually fail.
Negative-day attacks lie ahead when corporations begin making large-scale quantum computers available as a service, just as AI has become ubiquitous today. New discoveries continue to push down the number of qubits needed to break current encryption, with more to come as even more advanced AI is used for cryptanalysis.
The bigger problem predates Stuxnet: We keep pretending our best cyber analysts can predict what more advanced AI, especially when paired with powerful quantum computers, will make this possible.
Understanding that AI will continue to make finding zero-days faster is the easy part. The difficulty is preparing for the unknowable when AI acts like a searchlight sweeping across combinations no human would ever have time to explore and test.
Novel solutions are highly likely, and finding bugs in any software is a certainty. Some will matter, but most will not, despite the hype.
Moving Beyond Single Points Of Failure
Public key infrastructure (PKI) is one area of major concern beyond software bugs. Certificates, protocols, libraries, vendors, devices and identity systems must all be upgraded together. Without this step, something can break catastrophically, as seen with Log4J, WannaCry, MOVEit, etc.
Companies must move away from allowing these factors to become single points of failure. Prioritizing security, redundancy and resilience means building entirely new architectures rather than simply stringing legacy tools together in a series.
We are currently operating on a severely compressed timeline, driven largely by executive orders and legislation, with organizations and government vendors looking to improve their post-quantum cryptography (PQC). But if every social media platform and government network uses the same cryptographic tool, then attackers will be looking for ways to exploit this single point of attack.
The Future Is Now An Attack Surface
The future is now an attack surface. The old zero-day model assumed the attacker had to discover a hidden weakness before defenders could patch it.
Negative-day attacks break that timeline and invert the logic, because even unbroken systems, perfectly deployed, can become liabilities with time. The attacker does not need to win today. They can simply wait for quantum capability, AI-assisted cryptanalysis or some unexpected implementation failure to turn yesterday’s ciphertext into tomorrow’s intelligence or monetizable IP.
Treating post-
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
