IMHO, the IC gave up on the feasibility of maintaining hegemony over encryption, particularly in the face of non-corporate open source. You can't sue a book / t-shirt / anonymous contributors.
Consequently, they still have highly motivated and talented cryptanalysts and vast resources, but they're attacking widely-deployed academically-sound crypto systems.
Hypothetical encryption-breaking machines (e.g. large quantum computers) are too obviously a double-edged sword: who else has one? And given that possibility, wouldn't you switch to algorithms more secure against them?
In reality, the NSA's preference would likely be that no-such machine exists, but rather there are brute-force attacks that require incredibly large and expensive amounts of computational resources. Because if it's just a money problem, the US can feel more confident that they're near the top of the pile.
Which probably means that their most efficient target has shifted from mathematical forced decryption to implementation attacks. Even the strongest safe has a weakest point. Which may still be strong, but is the best option if you need to get in.
I don't know much about hardware, but is it not possible that there is a small part of a chip somewhere deep in the highly complex systems we have that simply intercepts prior to encryption and, if some condition is met (a remote connection sets a flag via hardware set keys), encrypts/sends the data elsewhere? Something like that anyway. It seems possible, but idk how plausible it is, and if things like the Linux kernel would be likely to not report on it, if the hardware is not known enough.
Anyway, just suggesting something that wouldn't require quantum cryptography.
As pointed out by another comment above, exfiltration then becomes the risky step.
If that did exist, you'd still have to get packets out through an unknown network, running unknown detection tools. Possible, but dicey over the intermediate term.
Who's to say they didn't just plug a box in, run a fake workload on it, and put all network traffic it emits under a microscope?
Seems like you could just blast it out on one of the endless Microsoft telemetry or update channels that are chatting away all day and either intercept outside the network or with Microsoft's help. Only way to protect against that would be blocking all internet access.
Consequently, they still have highly motivated and talented cryptanalysts and vast resources, but they're attacking widely-deployed academically-sound crypto systems.
Hypothetical encryption-breaking machines (e.g. large quantum computers) are too obviously a double-edged sword: who else has one? And given that possibility, wouldn't you switch to algorithms more secure against them?
In reality, the NSA's preference would likely be that no-such machine exists, but rather there are brute-force attacks that require incredibly large and expensive amounts of computational resources. Because if it's just a money problem, the US can feel more confident that they're near the top of the pile.
Which probably means that their most efficient target has shifted from mathematical forced decryption to implementation attacks. Even the strongest safe has a weakest point. Which may still be strong, but is the best option if you need to get in.