A couple days ago, we found out about Heartbleed, the flaw in the way many websites use to encrypt and send data. According to Bloomberg, the National Security Agency has known about it for two years.

Did they raise an alert that the basic security of the internet had been compromised? Did they warn users and other governments?

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.

The report questions the paradox of cybersecurity. Apparently defending the government and big corporations requires going on the offensive against ordinary users.

Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.

“If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”

Check out the complete Bloomberg article. It’s worth it.