Lance Cpl. Michael Ferguson fires an M136 AT4 rocket launcher in June 2012 at the Rodriguez Live Fire Complex in South Korea. (Photo by Lance Cpl. Robert Williams Jr./Marine Corps)

A virtual training range developed for the Marine Corps to prepare troops for cyber operations has been adapted to do everything from prepare for offensive actions to secure networks defensively against hacking threats like the Heartbleed security bug, Marine officials said.

The network was established by defense contractor ManTech within the last year at a cost of about $9.1 million. Maintained at an office park just south of Marine Corps Base Quantico, Va., it is used to train not only troops who focus on cyber operations, but Marines who focus on communications, intelligence and operational planning.

“Conceptually people might have a harder time picturing this battle space, but it is battle space,” said Col. Gregory T. Breazile, the director of the service’s cyber and electronic warfare integration division, in an interview. “When we in the Marine Corps look at maneuver warfare, this is maneuver warfare. It’s fighting the enemy’s weak points and exploiting those weak points so that you can defeat your adversary.”

[For the first time, Pentagon strategy addresses use of cyber weapons]

The range stands as an example of how the Pentagon is re-thinking cyber operations as hacking draws increasingly attention as a national security risk. A new Defense Department cyber warfare plan released in April explicitly called for the the Defense Department to “be able to use cyber operations to disrupt an adversary’s command and control networks, military-related critical infrastructure and weapons capabilities” if directed by the president.

The adoption of the new strategy followed calls by senior military officers to consider offensive cyber operations as a cost-effective weapon. For years before that, they had been cast mainly as a defensive need required to prevent catastrophic network attacks.

In the Marine Corps, the evolution of cyber operations has led the service to develop new doctrine for cyber operations. The guidelines, published earlier this year, are considered interim because of the quick-changing nature of cyber threats, but still serve as guidelines for what the service can and cannot do to protect its networks, Breazile said. The service also established a cyber task force this spring to assess how best to organize and prepare for cyber attacks.

‘There is going to be vulnerabilities,’ said Marine Col. Gregory Beazile. ‘It’s just how we address those vulnerabilities, how do we go hunt those bad actors and address them.’ (Defense Department photo)

“There is going to be vulnerabilities,” Breazile said. “It’s just how we address those vulnerabilities, how do we go hunt those bad actors and address them. There’s legal ramifications of all this, so there’s the legalities of doing certain actions in cyber space that we have to deal with.”

At least 387 Marines have been trained so far, said Joseph Caternor, a civilian working with the Marine Corps on the issue. He cited the Heartbleed bug as one specific threat the service has faced. Discovered last year, it allowed hackers to potentially gather personal information about service members and civilian employees, and required security patches that are now incorporated into training, he said.

[Heartbleed puts the chaotic nature of the Internet under a magnifying glass]

The Marines’ range is getting more use as the Defense Department continues to develop a massive national cyber range. Initially developed by the Defense Advanced Research Projects Agency (DARPA), the national range was called for by Congress in 2008, but eventually prompted complaints in the armed services that it was taking too long to build. That effort is still ongoing, with the Defense Department awarding a $14 million contract to Lockheed Martin last year.

One of the major benefits of the Marine Corps range is the money it saves testing existing networks for cybersecurity vulnerabilities, Breazile said. The process to certify and accredit that systems are safe can typically take months, but the range can be set up to take on the job. He estimated it will save the service about $60 million per year, citing the ability to avoid the laborious process previously required.

“All of our systems have vulnerabilities, and every year we have to identify and review our systems for new vulnerabilities,” he said. “By shortening the time frame and by getting this done in a much more rapid manner, that’s how we’re saving this money.”

U.S. military social media accounts apparently hacked by Islamic State sympathizers