An interesting article comparing Vladimir Putin's backing of hackers targeting Western nations to early modern "letters of marque" under which rulers like Queen Elizabeth II authorized privateers to capture merchant vessels of adversaries such as Spain.
Otherwise, such activities would be piracy, and punishable by death. The US Constitution actually gives Congress the power to issue letters of "marque and reprisal." Most constitutional law scholars see this as basically a dead letter in the modern world. But if the article is right to argue that the US should retaliate against Russia in kind, perhaps the Clause can be used to authorize US hackers to target Russian government facilities. It could even be extended to offer bounties to those who successfully hack, e.g., Russian military and intelligence databases (privateers sometimes got bounties and prize money from early modern governments).
England had less in the way of valuable overseas trade at the time - except in some regions close to home where the Spaniards probably thought it too dangerous to venture. The Spaniards did, if I remember right, not recognize the legality of the English privateers and still treated them as pirates.
Russia has much more dependence on computers than 16th century England had on shipping vulnerable to Spanish attack.
I don't know whether unleashing hackers on Russia is a good idea or not. But to work, it need not inflict as much damage as Russia could in quantitative terms. It need only be enough to make the conflict too costly for Putin to bear.
That said, I'm not actually endorsing this sort of policy. I don't know enough about the issue to do so, and there are some obvious arguments against it. If it is tried at all, it should be strictly limited to government facilities, not private ones (unlike early modern privateers, who were essentially allowed to target any ships with the "wrong" flag).
I am skeptical that the present Russian government can be trusted to abide by any agreements. What they are doing is already illegal under current international law. If they violate existing law with impunity, they will do the same with a new agreement - unless there is some kind of new deterrent involved hefty enough to change the structure of incentives.
Russia does have lots of tech firms and other businesses which are "big" in the sense of having, say, hundreds of employees, and millions of dollars of net worth, and their only government connections are just whatever they need to do to stay in business (which, of course, may well involve paying bribes to officials and avoiding open criticism of the government). In other cases, the line between public and private is fuzzy. But the same is sometimes true in the US (as with public utilities, defense contractors, etc.).
There is of course, the Paris declaration which nearly every major power has signed or adheres to. However, a new US law could supersede it, as far as US law is concerned. Other nations could still try to prosecute the US hackers. But, unlike with pirates who can be captured on the high seas, other governments would have a hard time getting their hands on US hackers if the US government chose not to cooperate (just as the US has had great difficulty targeting Russian-supported hackers).