Which One Is Right?
Part 3 of 3. Nine states on the board, seven trades, and the two clean-looking calls fall apart. Tokyo is choosing this quarter.
On April 9, a hacking crew called Handala posted two sentences to a Telegram channel and, for about a day, let the world see the wiring behind Iran’s cyber power. That is where Part 1 started. Then the same off-switch surfaced in Russia and Ukraine, the same machinery turned up in China’s contractor leaks, and North Korea ran the lonely opposite of all of it. That was Part 2.
If those two parts moved fast, here is the whole board in one breath.
A state building cyber power is really answering one question: who sits on the wire between the political order and the computer keyboard? Put a deniable layer in the middle and you get a proxy architecture: Iran, Russia, China. Keep the operator inside the state and you get a state-direct architecture: North Korea and the West. The criminals, the contractors, the lawyers, the off-switches all follow from that one choice.
Five architectures came out of Parts 1 and 2. Here they are, plus four more states bringing cyber power online right now. Six dimensions define an architecture; four of them fit a table: who’s at the keyboard, what the architecture is built to do, what hides the operator, and whether the law gets a vote.
A few of those rows earn a sentence.
Israel built the one cover layer a government can actually regulate: a licensing office. The same Unit 8200 alumni who build the state’s tools leave to found companies (NSO, Candiru, Paragon) that sell the commercial-grade version abroad under a government export stamp. Deniability you can invoice.
Ukraine proves a democracy can run a proxy when a war demands one. Its IT Army is the Russian template rebuilt bottom-up and in a hurry. Volunteers in place of a co-opted criminal underworld, but the same demonstrable off-switch, shown when it went quiet for the May 9 to 11 ceasefire and came back swinging at midnight.
India is the row the framework cannot fill yet. The open source shows a market: Appin, BellTroX, a decade of hack-for-hire. It does not yet show the state conduit that would turn a market into an architecture. Watch that row.
The two dimensions that don’t fit the grid are the ones that decide the contest: whether a state can prove an off-switch, and where it finds its operators. Neither reduces to a yes-or-no cell. Both are judgment calls, and both come back as trades when I grade these architectures below.
So, which one is best?
That’s the question the whole series has been walking toward.
Setting aside the moral question, of course.
The moral question is real. Iranian cyber operators target civilian water infrastructure. Russian and North Korean cybercriminals out of the proxy ecosystems steal money and ransom hospitals. Chinese contract hackers compromise the personal data of every citizen of every country they operate in. These are not abstractions. They harm people, and the harms are unevenly distributed, and the architectures I’m about to grade are architectures that produce those harms by design.
I’m setting the moral question aside anyway. The architectural question is the one those capitals are arguing about right now, in the phase where new cyber rules actually get drafted into law. They already know the moral cost. What they’re arguing about is how much capability sits inside the state, how much sits in commercial vendors, how much sits in a deniable layer that does not yet exist in their countries. The moral debate has been running for twenty years. The architectural debate never happened. Public discourse is still asking the threat question. Tokyo’s analysts, who are about to implement the newest branch of the global cyber power arms race, are not.
Sometime in the years I served at US Cyber Command, I sat in a planning room for an operation I cannot describe. The technical option was clean. The intelligence was solid. The target was authorized. The mission plan was complete.
The legal analysis was not.
Not yet anyway. The lawyer needed forty-eight hours to walk a specific provision against a specific framework against a specific definition of the target’s connectivity to a specific category of a single sub-sector of a particular technology industry. You out of breath yet?
We waited forty-eight hours. Then seventy-two. Then ninety-six. The operation never happened.
I’ve sat in that room often enough to know what that room is for.
The lawyers were there because the architecture was built that way, deliberately. Title 10 and Title 50 and Title 18 (the laws that separate military operations, intelligence operations, and ordinary law enforcement) and the oversight committees and the DOJ review board and the National Security Council and the eleven other forums where the operation could be reviewed before it went live all exist because the United States made a commitment to keep the keyboard accountable to the Constitution.
the United States made a commitment to keep the keyboard accountable to the Constitution.
An operations officer at MOIS, Iran’s intelligence ministry, could have authorized an equivalent operation that same day with a phone call. He would not have asked a lawyer. He would not have had a lawyer to ask. His architecture was built that way, deliberately, too.
An operations officer at MOIS, Iran’s intelligence ministry, could have authorized an equivalent operation that same day with a phone call. He would not have asked a lawyer. He would not have had a lawyer to ask.
What the Western architecture gains: legal defensibility, democratic accountability, and the highest capability ceiling. What it gives up: speed, a cutout to blame, and the ability to re-task under political pressure.
Those lawyers are what the conduit was traded for.
There are seven things a state can optimize for when it builds cyber power. No architecture wins all seven.
Impact per dollar. The proxy model wins. Iran and Russia produce more disruption per dollar of state cyber budget than any other architecture, because the criminal ecosystem spreads infrastructure costs across thousands of operators, only some of whom the state has to fund directly. Stryker’s $317 million quarterly shortfall (the medical-device maker whose global device fleet Iran’s proxy wiped in Part 1) and Change Healthcare’s $1.5 billion hit (the Russian-proxy ransomware attack from Part 2) were produced on state-cyber budgets a fraction of the West’s.
Deniability. It splits in two. Political deniability: the proxy model wins. Handala can be disowned at the level of the Ministry; the Ministry can be disowned at the level of the regime, and prosecutors and treaty regimes have trouble piercing either layer. Technical deniability is the other half, and the Western model wins it. The proxy buys a cutout to blame, then spends the advantage on operators who announce themselves on Telegram, reuse infrastructure, and surface in the i-SOON and KnownSec leaks. The Western architecture has no cutout. If one of its operations is ever attributed, it is unambiguously the United States, so it pours everything into never being attributed at all. OPSEC rules everything. The proxy denies the relationship; the West denies the fingerprint.
The political off-switch. The proxy model wins again, but only when the proxy has been built carefully. Iran demonstrated this on April 9. Ukraine demonstrated it through its IT Army’s cyber-pause on May 9 to 11. The conduit is the off-switch. The architecture without a conduit cannot show one.
Legal defensibility. The Western model wins. The Department of Justice indicted twelve Chinese contract hackers in March 2025. The FBI has documented North Korean operations going back a decade and a half. The joint advisories from Western agencies name names. American oversight hearings produce the most documented legal record of state cyber capability that exists. The Russian, Iranian, and North Korean models cannot defend their operations in any court that matters, because the architectures are designed to be undefendable. The Western model wins on paper (although it’s the only architecture that requires paper).
Ecosystem health. The easy call is that the West wins this one. I don’t think it holds. Three talent engines run here, and they run on different fuel. The Western pipeline runs on prestige and clearance: the Naval Academy and Carnegie Mellon and MIT into NSA, Cyber Command, and a cleared contractor base, throttled by how fast the government can clear people and how badly it pays against industry. The Russian pipeline runs on incentive: the criminal economy recruits, pays, and trains itself, and the state harvests the capability without funding it. The Chinese pipeline runs on scale: 250-plus firms competing for state tasking, what the i-SOON leak called “a competitive marketplace of independent contractor hackers-for-hire,” and by sheer volume of trained operators it may now be the healthiest of the three. The West still leads at the very top. It no longer obviously leads the pipeline. North Korea cannot match any of them; it has no private sector at all. Iran’s labor market is capped by sanctions.
Capability ceiling. The Western model wins at the top, with the Chinese hybrid catching up. The hardest offensive operations (the implant chains that survive disclosure, the supply-chain compromises that take a year of staging, the cryptographic capability that does not show up in any commercial product) remain Western-led, with one near-peer competitor. The KnownSec leak (Chinese state hacking tools and documentation dumped in November 2025) suggests the gap is closing.
Adaptability under political pressure. The proxy model wins, and it wins big. Iran retargeted from US infrastructure to Israeli infrastructure on April 9, by sentence. The Western architecture, in the equivalent scenario, would have needed forty-eight hours, a chairman’s recommendation, and a Presidential determination.
Seven trades, and not one clean sweep among them. No model wins all seven. The two that look like clean calls, deniability and ecosystem, split or flip the moment you press them. The best you can hope for, building from scratch, is to pick the trades you can live with.
Japan is building from scratch.
The Diet passed the Active Cyber Defense Act on May 16, 2025. It goes into force on October 1, 2026. Four and a half months from today. Tokyo reorganized the National Information Security Center into the National Cybersecurity Office in July 2025. The Cybersecurity Council is expected to be reestablished by November 2026, with the Prime Minister, relevant ministry heads, specified essential infrastructure providers, and IT vendors at the table. The implementing regulations that govern what kind of architecture Japan is building are being drafted this quarter, in Kasumigaseki, by officials who have read every word of every advisory the West has published in twenty years and are still arguing about what they think.
Tokyo is not choosing alone. The officials I met in Taipei last December were wrestling with the same structural tensions on the same clock: how much capability to hold inside the state, how much to push out to commercial vendors, how to stay connected to allied capability without surrendering sovereign control. Taiwan, Japan, Australia, and every other Indo-Pacific democracy bringing cyber power online this decade is solving a version of the same equation. The implementing details differ. The architectural question is identical.
The default advice is build like the West.
The default advice was already being quietly questioned before this week. The Iran and Ukraine wars showed proxy architectures winning in the same quarter Western institutions were visibly cracking (CISA at 38% is the documented data point). The joint statement Xi and Putin signed in Beijing late last month turned the questioning louder. Russia and China have now publicly committed to a UN-centric cyber-governance model anchored in state sovereignty. That is the international-norm framework that legitimizes the conduit architectures. Tokyo’s architectural choice is now also a normative choice: which side of that public alignment Japan stands on, and how deeply.
The implementing regulations will decide where Japan’s conduit runs, how deep it’s buried, and whether it has an off-switch demonstrable in public. I argued in April that Japan’s recent military pivot happened deliberately as a set of capabilities Tokyo quietly built before launching them. The cyber pivot is the same pattern.
This piece does not tell Tokyo what to build. It names the seven trades, names the public norm fight that just got louder, and notes that Tokyo is choosing both this quarter. The officials drafting the regulations understand the moral question already. The architectural one is the file they can’t put down.
A note for defenders.
Knowing which architecture is running against you tells you what your options are. Proxy architectures fail at off-switch reliability over long timeframes: the proxy can go autonomous, can be re-tasked by a different patron, can fragment under sanctions. The very visibility of Handala’s April 9 post (a state-directed proxy speaking publicly about its chain of command) is itself the off-switch’s failure mode. State-direct architectures fail at coverage: every operation has to clear the legal review I described above, and the review forecloses the marginal operation that the proxy architecture would have run. The North Korean model fails at clean attribution: the operators are also the money launderers, and the laundering shows up in blockchain analysis. The whole trail from stolen Ethereum to clean Bitcoin runs back to North Korea’s RGB, its military intelligence bureau, under names like Lazarus and TraderTraitor. The Chinese hybrid fails at scale-coordination: the contractor market produces noise the state cannot fully control, which is why the i-SOON and KnownSec contractor leaks happened.
Calibrate to the architecture, not just to the threat actor. The threat actor is a target on a chart. The architecture is the chart.
Calibrate to the architecture, not just to the threat actor. The threat actor is a target on a chart. The architecture is the chart.
Callback to April 9.
The conduit is taut against the United States. The conduit is slack against Israel. The architecture is doing exactly what its designers wanted it to do.
On May 20, six weeks after Handala’s postponement and three weeks ago, Russia and China signed a joint statement saying the conduit architectures should be legitimate under international law.
Whether that is what the West should want, whether that is what Tokyo should build, is the question this series leaves on the table.
It is also the question the policy shops are already arguing about, in private, in three capitals I will not name.
The architectural debate has started.
Most of us are not yet in it.
If you enjoy A Discipline of Seeing, it would mean the world to me if you shared it with others. Please use the button below to send my Substack to someone who might find my work interesting. Thanks!
— Brandon



