This is the most informed view you'll find anywhere regarding the legality of a "proportional response" by the United States to the SONY breach.

The commission of an internationally wrongful act entitles an injured State to engage in “countermeasures” under the law of State responsibility, as captured in Article 22 and 49-54 of the Articles on State Responsibility. Countermeasures are actions by an injured State that breach obligations owed to the “responsible” State (the one initially violating its legal obligations) in order to persuade the latter to return to a state of lawfulness. Thus, if the cyber operation against Sony is attributable to North Korea and breached U.S. sovereignty, the United States could have responded with countermeasures, such as a “hack back” against North Korean cyber assets. Indeed, it may still enjoy the right to conduct countermeasures, either because it is reasonable to conclude that the operation is but the first blow in a campaign consisting of multiple cyber operations or based on certain technical rules relating to reparations. It must be cautioned that the right to take countermeasures is subject to strict limitations dealing with such matters as notice, proportionality, and timing. Moreover, they are only available against States and the prevailing view is that a countermeasure may not rise to the level of a use of force.